GithubHelp home page GithubHelp logo

Comments (5)

tobyxdd avatar tobyxdd commented on May 31, 2024

Ping is expected to work as we currently don't support (and therefore can't block) ICMP.

nslookup which is based on UDP has no reason not to be blocked though. I will test it later today.

from opengfw.

tobyxdd avatar tobyxdd commented on May 31, 2024

I can't reproduce nslookup. Both TCP and UDP are correctly blocked in my tests. Are you sure you are using the version after this fix? #52

from opengfw.

KujouRinka avatar KujouRinka commented on May 31, 2024

Yes, I encountered this on the latest build v0.1.1. I build a server that serves both for dns and ssh.

Supposing I use this ruleset:

- name: block ip
  action: block
  expr: string(ip.dst) == "xxx.xxx.xxx.xxx"

# This is necessary
- name: block bili
  action: block
  expr: string(tls?.req?.sni) endsWith "bilibili.com"

Here's my log:

2024-02-16T13:21:07+08:00       INFO    TCP stream action       {"id": 1758360840290971648, "src": "10.151.94.141:55336", "dst": "xxx.xxx.xxx.xxx:22", "action": "block", "noMatch": false}
2024-02-16T13:21:08+08:00       INFO    TCP stream action       {"id": 1758360844527214592, "src": "10.151.94.141:55336", "dst": "xxx.xxx.xxx.xxx:22", "action": "block", "noMatch": false}
2024-02-16T13:21:09+08:00       INFO    TCP stream action       {"id": 1758360848780230656, "src": "10.151.94.141:55336", "dst": "xxx.xxx.xxx.xxx:22", "action": "block", "noMatch": false}
2024-02-16T13:21:24+08:00       INFO    UDP stream action       {"id": 1758360912110034944, "src": "10.151.94.141:48852", "dst": "xxx.xxx.xxx.xxx:53", "action": "allow", "noMatch": true}
2024-02-16T13:21:24+08:00       INFO    UDP stream action       {"id": 1758360912126803968, "src": "10.151.94.141:49157", "dst": "xxx.xxx.xxx.xxx:53", "action": "allow", "noMatch": true}

I do a block on that IP and ssh connection is unreachable, but dns query success.

What's weird is that if there is only one "block ip" rule in the ruleset, even the TCP stream would not be blocked. But if we add another rule similar to "block bili" above, the TCP stream can be blocked.

I test this on my pc(Arch), a server in Shanghai(Ubuntu 22.04) and a server in Tokyo(Arch).

Alibaba DNS is not available in all areas. Maybe you could try to use 1.1.1.1 to test.

from opengfw.

tobyxdd avatar tobyxdd commented on May 31, 2024

Can you see if the above fix works for you?

from opengfw.

KujouRinka avatar KujouRinka commented on May 31, 2024

All things work properly. Thank you.

from opengfw.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.