New firewalling technique proposal

Aaron Gray aaronngray.lists at gmail.com
Fri Oct 31 12:20:48 PDT 2025 

Hi Jonas,

On Fri, 31 Oct 2025 at 17:31, Jonas Lochmann <ich at jolo.software> wrote:
>
> Am Fri, Oct 31, 2025 at 04:30:49PM +0000, schrieb Aaron Gray:
> > The initial concept is very simple, basically tallying all outgoing
> > and optionally incoming IP packets with a record of all DNS IP
> > requests, by using an iptables extension module.
>
> Why iptables and not nftables?

Sorry I actually meant nftables, I have been using firewalling since
the mid 2000's for server.

> Why an extension module?

I thought a purpose built module would potentially be more efficient
and only possibly require one or two rules.

> All you need
> is already in the kernel: ip sets, rules and forwarding specific packets
> (DNS) to the user space.

So does the existing OpenVPN actually check IP's against previous DNS
request reply IP's ?

If it is not an out of the box configuration, how would I configure
OpenVPN to do so please ?

> > In addition to this, is the idea of an OpenWRT web user interface
> > extension to manage connections, this would show all open connections.
> > With the additional optional functionality of only allowing new
> > connections to new IP addresses and/or domains when they are validated
> > by the user. Any unknown IP traffic will be denied and flagged up with
> > reverse IP lookup attempted and domains displayed. Opinions for
> > allowing a whitelists of all Ubuntu, Debian, Microsoft Windows,
> > installer and update IP's can also be added.
>
> Honestly, this sounds like some toy for people that don't know what
> they are doing.

I am not really that much of a noob, I did happen to have run dual
mirrored servers for 7 years with 36 hours downtime due to power and
internet outages, of which 1 hour was my fault ;)

For running multiple devices using OpenWRT I would find proper
instrumentation more than useful.

> CDNs limit its use.

How do Content Delivery Networks work with this, is this just
blacklists and whitelists rather than DNS based blacklists ? If there
are whitelists for all the major operating systems installation and
updates this would be great !

> For restrictive setups, proxies are used today. Those could be
> transparent proxies.

I am not really sure how proxies are relevant, please explain.

Sorry I don't wish to sound rude, I really don't know OpenWRT itself
that well yet despite using it for a while.

Regards,

Aaron
-- 
Aaron Gray - https://github.com/AaronNGray

Meta-Mathematician, Independent Open Source Software Engineer,
Computer Language Researcher and Designer, Type Theorist, Computer
Scientist, Environmentalist and Climate Science Researcher and
Disseminator.

More information about the openwrt-devel mailing list