DNS-based firewall rules on OpenWrt 22.03 using IP sets and fw4

Peter

I wanted to be able to use DNS-based firewall rules like on pfsense, opnsense and Sophos UTM for certain use cases. OpenWRT does not have this functionality built in. I came up with the following solution.

This allows you to list DNS names, for example in /etc/ipset-dns/dst_host_search_engines.list:

google.com
www.google.com
yahoo.com
www.yahoo.com
bing.com
www.bing.com

With a corresponding IP set entry in /etc/system/firewall:

config ipset
        option name 'dst_host_search_engines'
        option match 'dst_ip'
        option enabled '1'
        option timeout '0'

And an example firewall rule you could use with OpenWRT in /etc/config/firewall:

config rule
        option name 'Allow-Search-Engines'
        option family 'ipv4'
        list proto 'all'
        option ipset 'dst_host_search_engines'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'lan'

And the entirety of the script, which will query the hosts listed based on their IP address family, and set a timeout based on the TTL of the DNS entries.

/etc/ipset-dns.sh (don't forget to set executable bit):

#!/bin/sh

for filename in /etc/ipset-dns/*.list; do
        ipset=$(basename $filename | cut -d '.' -f1)
        stdout=$(nft list set inet fw4 $ipset 2>&1)
        if [ $? -gt 0 ]; then
                echo $stdout | sed 's/^Error/Warning/'
                continue
        fi

        nft_type=$(echo $stdout | grep -oE 'type \w+' | awk '{ print $2 }')
        type=
        if [[ "$nft_type" == "ipv4_addr" ]]; then
                type=A
        elif [[ "$nft_type" == "ipv6_addr" ]]; then
                type=AAAA
        else
                echo "Warning: invalid type $nft_type for $ipset"
                continue
        fi


        dig $type -f $filename +noall +answer | while read _ ttl _ _ ip; do
                ttl=$(( ttl + 500 ))
                nft add element inet fw4 $ipset { ${ip} timeout ${ttl}s };
        done
done

And the following crontab entry for the root user, in /etc/crontabs/root so that the script runs at boot and every 5 minutes (modify to suit, but make sure to update the 500 second addition on the TTL):

@reboot /etc/ipset-dns.sh
5 * * * * /etc/ipset-dns.sh

UEFI enabled libvirt virtual machines on Ubuntu

Peter

Required steps

  • Install the ovmf package
  • Restart libvirt-bin
  • Create /var/lib/libvirt/qemu/nvram to store NVRAM from a UEFI-enabled virtual machine (VM)

libvirt XML definition example for UEFI enabled VM

libvirt edit $VM_NAME and amend the XML definition.

  <os>
    <type arch='x86_64' machine='pc-q35-2.11'>hvm</type>
    <loader readonly='yes' secure='no' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
    <nvram template='/usr/share/OVMF/OVMF_VARS.fd'/>
    <boot dev='hd'/>
  </os>

WEMOS LOLIN32 ESP32 Lite pinout example for CJMCU-811

Peter

Low cost ESP32 development board such as WEMOS ESP32 LOLIN32 Lite paired with a CO2 / VOC sensor CJMCU-811. The WEMOS LOLIN32 development board does not have all the same GPIO as other similar ESP32 boards.

Pinout

LOLIN32CJMCU-811
V3.3VCC
22 (GPIO22)SCL
19 (GPIO19)SDA
GNDWAK
Pinout example for LOLIN32 paired with CJMCU-811

ESPHome example

i2c:
  sda: GPIO15
  scl: GPIO2

sensor:
  - platform: ccs811
    eco2:
      name: "CCS811 eCO2 Value"
    tvoc:
      name: "CCS811 Total Volatile Organic Compound"
    address: 0x5A
    baseline: 0x9AB9
    update_interval: 60s

MOES IR Control Tuya (SRW-001) flashing (ESPHome, etc)

Peter

The device MOES IR Control Hub, which uses Tuya ESP8266 is no longer vulnerable to the vulnerability that tuya-convert exploits. You will need to open the device to flash it.

They are currently shipped with an TYWE3S which is an ESP8266 (as of June, 2021). You can see the pin outs for the TYWE3S at the Tasmota site.

Use a thin utility knife to open, I would recommend starting at the USB port area. There are two tabs on either side, and a few spread throughout. Once you have the device open and have connections setup you are ready to flash.

How to flash?

  1. Tie GPI0 to GND to start flash mode (when RST or power on the device, you will know you are in flash mode because the blue status LED does not come on)
  2. RX, TX, GND to your USB TTL (remember RX and TX are reversed for the USB TTL side)
  3. GND on TYWE3S is connected to the same ground plane as the rest of the board (i.e. GND on your USB TTL)
  4. Then power up via MicroUSB
  5. Flash via esptool (rev 1ca08af instead of master due to Issue #635 in esptool)
  6. Unplug everything and power up normally, and configure ESPHome as you normally would.

RE: Motion B6 – Don't Feed the Wildlife

Peter

My letter to City of Vancouver council regarding Motion B6 – Don't Feed the Wildlife.

Hello,

I do not support Motion B6 – Don't Feed the Wildlife, submitted by Pete Fry.

The proposed ban is overly broad, and unnecessary. There is already a Park Board bylaw on banning feeding wildlife in our parks, which is the advertised target of this motion.

The City and Park Board should enforce existing bylaws, instead of adding new ones. And, when necessary, work with the province on enforcing laws against feeding dangerous animals.

Pete Fry stated that the proposed bylaw is also meant to target people who attract vermin to their properties. Does the City not have bylaws in place already that cover this? I believe they do.

Many residents in Vancouver feed the various birds in their area using methods banned with this proposed bylaw (i.e. putting out nuts while under observation in a container during the day: to prevent vermin), and use it as a way to improve their mental wellbeing, especially during COVID-19. This will unfairly target seniors and people with restricted social circles.

Please consider voting against this motion.

Thank you.