New firewalling technique proposal
Jonas Lochmann
ich at jolo.software
Fri Oct 31 10:30:57 PDT 2025
Am Fri, Oct 31, 2025 at 04:30:49PM +0000, schrieb Aaron Gray:
> The initial concept is very simple, basically tallying all outgoing
> and optionally incoming IP packets with a record of all DNS IP
> requests, by using an iptables extension module.
Why iptables and not nftables? Why an extension module? All you need
is already in the kernel: ip sets, rules and forwarding specific packets
(DNS) to the user space.
> In addition to this, is the idea of an OpenWRT web user interface
> extension to manage connections, this would show all open connections.
> With the additional optional functionality of only allowing new
> connections to new IP addresses and/or domains when they are validated
> by the user. Any unknown IP traffic will be denied and flagged up with
> reverse IP lookup attempted and domains displayed. Opinions for
> allowing a whitelists of all Ubuntu, Debian, Microsoft Windows,
> installer and update IP's can also be added.
Honestly, this sounds like some toy for people that don't know what
they are doing. CDNs limit its use.
For restrictive setups, proxies are used today. Those could be
transparent proxies.
More information about the openwrt-devel
mailing list