Comments (5)
Ping is expected to work as we currently don't support (and therefore can't block) ICMP.
nslookup which is based on UDP has no reason not to be blocked though. I will test it later today.
from opengfw.
I can't reproduce nslookup. Both TCP and UDP are correctly blocked in my tests. Are you sure you are using the version after this fix? #52
from opengfw.
Yes, I encountered this on the latest build v0.1.1. I build a server that serves both for dns and ssh.
Supposing I use this ruleset:
- name: block ip
action: block
expr: string(ip.dst) == "xxx.xxx.xxx.xxx"
# This is necessary
- name: block bili
action: block
expr: string(tls?.req?.sni) endsWith "bilibili.com"
Here's my log:
2024-02-16T13:21:07+08:00 INFO TCP stream action {"id": 1758360840290971648, "src": "10.151.94.141:55336", "dst": "xxx.xxx.xxx.xxx:22", "action": "block", "noMatch": false}
2024-02-16T13:21:08+08:00 INFO TCP stream action {"id": 1758360844527214592, "src": "10.151.94.141:55336", "dst": "xxx.xxx.xxx.xxx:22", "action": "block", "noMatch": false}
2024-02-16T13:21:09+08:00 INFO TCP stream action {"id": 1758360848780230656, "src": "10.151.94.141:55336", "dst": "xxx.xxx.xxx.xxx:22", "action": "block", "noMatch": false}
2024-02-16T13:21:24+08:00 INFO UDP stream action {"id": 1758360912110034944, "src": "10.151.94.141:48852", "dst": "xxx.xxx.xxx.xxx:53", "action": "allow", "noMatch": true}
2024-02-16T13:21:24+08:00 INFO UDP stream action {"id": 1758360912126803968, "src": "10.151.94.141:49157", "dst": "xxx.xxx.xxx.xxx:53", "action": "allow", "noMatch": true}
I do a block on that IP and ssh connection is unreachable, but dns query success.
What's weird is that if there is only one "block ip" rule in the ruleset, even the TCP stream would not be blocked. But if we add another rule similar to "block bili" above, the TCP stream can be blocked.
I test this on my pc(Arch), a server in Shanghai(Ubuntu 22.04) and a server in Tokyo(Arch).
Alibaba DNS is not available in all areas. Maybe you could try to use 1.1.1.1 to test.
from opengfw.
Can you see if the above fix works for you?
from opengfw.
All things work properly. Thank you.
from opengfw.
Related Issues (20)
- 能屏蔽openvpn吗 HOT 3
- Openwrt lean x86_64 运行提示缺少文件,但不知道缺少什么。 HOT 2
- Is the "Great Cannon" available? HOT 2
- can openvpn be blocked? HOT 1
- engine exited {"error": "exit status 1"} HOT 1
- Hidden dependency to iptables command HOT 1
- Can anyone identify the author? HOT 1
- 希望开发者能考虑弄一下这个
- 2024-03-24T04:05:45Z INFO engine exited {"error": "could not unbind existing handlers (if any): netlink receive: invalid argument"} HOT 9
- add matched rule name in log and debug outputs? HOT 1
- whitelist HOT 1
- [Function Request] Trojan injection? HOT 1
- [Function Request] Account & Password Record HOT 1
- 增加对pcap的支持以方便调试
- 热重载时内存泄漏
- 疑似 NTP 数据包被识别成 DNS 数据包 HOT 2
- 在 config.yaml 中指定的 geoip.dat/geodata.dat 路径不生效 HOT 2
- Running under Raspbian results in "netlink receive: operation not supported" HOT 2
- 添加王者荣耀放技能50%概率丢包的功能 HOT 1
- Improve DNS modifier to use a pool of forged IP addresses
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opengfw.