Firewall/NAT

Hey all,

I'm new to the firewall/m0n0wall product and was looking to see if I can force users to use a specific dns server (OpenDNS).  If a user changes the dns server on their device, they can now block it, but I was told I can prevent that.  I'm not sure how to do so.  I have searched the forums and tried what they suggested but its not working! Any advice for a noob?

It would be helpful for you to tell us exactly what you have tried or at least point us to the post(s) that contain what you tried.

But basically, what you want to do is create specific firewall rules.

The first rule would allow destination traffic only to the OpenDNS DNS server IP address(es),  only to destination port 53 TCP/UDP.

The second would deny outbound traffic to any destination IP address for destination port 53 TCP/UDP.

These must be in the sequence shown above.

Proto   Source   Port   Destination   Port   Description   
   *    RFC 1918 networks   *   *   *    Block private networks   
       TCP    208.67.222.222    *    *    25 (SMTP)    SMTP Block    
       TCP    *    *    172.20.0.20    80 (HTTP)    NAT  For IP Cam   
       UDP    208.67.222.222    *    *    53 (DNS)    DNS hiJack Block    
       UDP    *    *    208.67.222.222    53 (DNS)    Must Be Added

Also this:  http://forum.m0n0.ch/index.php/topic,5213.0.html

and this: http://forum.m0n0.ch/index.php/topic,5223.0.html

I used for examples

It would be helpful for you to tell us exactly what you have tried or at least point us to the post(s) that contain what you tried.

But basically, what you want to do is create specific firewall rules.

The first rule would allow destination traffic only to the OpenDNS DNS server IP address(es),  only to destination port 53 TCP/UDP.

The second would deny outbound traffic to any destination IP address for destination port 53 TCP/UDP.

These must be in the sequence shown above.

I made two rules which are below.  After I applied the rules, and tried to goto a restricted page it allows me through.

       TCP/UDP    *    *    208.67.222.222    53 (DNS)   
       TCP/UDP    *    *    *    53 (DNS)   

Your rules do not say whether allow traffic, block traffic, or what interface they apply to.

The first is set to 'Pass'; Interface: 'WAN' Protocol "TCP/UDP" Source: Any; Source port: Any; Destination Address: 208.67.220.220; Destination Port: DNS to DNS

The Second is set to "Block" Interface: WAN; Protocol TCP/UDP; Source: Any; Source port: Any; Destination Address: any; Destination Port: DNS to DNS

I did save and apply those changes.

I think these rules should be on your LAN interface, not WAN.

The rules must be placed above the Default LAN to any rule already in place.

You can do this by creating the new rules below the Default LAN to any rule, then creating a new identical Default LAN to any rule below the new rules, then deleting the original Default LAN to any rule at the top of the list.

I applied the change to the LAN interface and made sure they were above the default LAN policy.  When I try to get to a blocked site, it blocks it!  But...it also blocks every other page, even with the correct dns in place on the workstation....

I think this approach might work. Please try it an see.

On the LAN interface, add a firewall rule above the Default LAN to any rule.

Action: Block, Protocol: TCP/UDP, Source: LAN Subnet, Source Port: Any, Destination: Any, Destination Port: 53

On the System: General setup page, specify both OpenDNS servers 208.67.222.222 and 208.67.220.220

On the Services: DNS forwarder page, Enable DNS forwarder.

On your LAN PCs, specify the m0n0wall LAN IP address for default gateway and DNS server.

I inserted the new rules, Set my Workstation's DNS to monowall's IP and it worked, but still, if I change the DNS on the workstation to 8.8.8.8 (Google's DNS Servers) it goes right through to a restricted site.  Is what I'm trying to accomplish even possible?

I tested this here and it worked. But I am not testing with OpenDNS name servers, so I can't speak to what sites they block or don't block.

With the rule I suggested in place at the top of the LAN firewall rule list, and my PC's network adapter set to use m0n0wall's LAN IP as DNS, and m0n0wall set to use the DNS Forwarder, I can get to web sites by name.

If I change the DNS on my PC's network adapter to anything other than m0n0wall's LAN IP, I can no longer get to any web sites by name.

It would not matter what name servers I have set in m0n0wall System: General setup, the idea here is that this setup will allow only the m0n0wall LAN IP to work for DNS settings on the PC's network adapter.

Please verify everything is exactly as suggested.

Here are my screenshots

You have one mistake here that is preventing this from working.

Your LAN Firewall rule at the top is set to Accept (green up arrow). It needs to be set to Block (red X). Edit the rule and change the Action to Block and it should work as you want it to.

Also, the last two LAN Firewall Rules that you have currently disabled will never be evaluated because they are below the Default LAM -> any rule which will be evaluated before the two below it and it accepts anything.