Closed KujouRinka closed 6 months ago
Ping is expected to work as we currently don't support (and therefore can't block) ICMP.
nslookup which is based on UDP has no reason not to be blocked though. I will test it later today.
I can't reproduce nslookup. Both TCP and UDP are correctly blocked in my tests. Are you sure you are using the version after this fix? https://github.com/apernet/OpenGFW/pull/52
Yes, I encountered this on the latest build v0.1.1. I build a server that serves both for dns and ssh.
Supposing I use this ruleset:
- name: block ip
action: block
expr: string(ip.dst) == "xxx.xxx.xxx.xxx"
# This is necessary
- name: block bili
action: block
expr: string(tls?.req?.sni) endsWith "bilibili.com"
Here's my log:
2024-02-16T13:21:07+08:00 INFO TCP stream action {"id": 1758360840290971648, "src": "10.151.94.141:55336", "dst": "xxx.xxx.xxx.xxx:22", "action": "block", "noMatch": false}
2024-02-16T13:21:08+08:00 INFO TCP stream action {"id": 1758360844527214592, "src": "10.151.94.141:55336", "dst": "xxx.xxx.xxx.xxx:22", "action": "block", "noMatch": false}
2024-02-16T13:21:09+08:00 INFO TCP stream action {"id": 1758360848780230656, "src": "10.151.94.141:55336", "dst": "xxx.xxx.xxx.xxx:22", "action": "block", "noMatch": false}
2024-02-16T13:21:24+08:00 INFO UDP stream action {"id": 1758360912110034944, "src": "10.151.94.141:48852", "dst": "xxx.xxx.xxx.xxx:53", "action": "allow", "noMatch": true}
2024-02-16T13:21:24+08:00 INFO UDP stream action {"id": 1758360912126803968, "src": "10.151.94.141:49157", "dst": "xxx.xxx.xxx.xxx:53", "action": "allow", "noMatch": true}
I do a block on that IP and ssh connection is unreachable, but dns query success.
What's weird is that if there is only one "block ip" rule in the ruleset, even the TCP stream would not be blocked. But if we add another rule similar to "block bili" above, the TCP stream can be blocked.
I test this on my pc(Arch), a server in Shanghai(Ubuntu 22.04) and a server in Tokyo(Arch).
Alibaba DNS is not available in all areas. Maybe you could try to use 1.1.1.1 to test.
Can you see if the above fix works for you?
All things work properly. Thank you.
My Enviroment
Config Files
What Happeded
Connection to IP that should be blocked established successfully.
Concretely, commands like
ping 223.5.5.5
andnslookup baidu.com 223.5.5.5
can get response, but they should not act like this.By the way, blocking by other keywords, such as blocking by keywords
tls?.req?.sni
,http?.req?.header?.host
. These all things can work properly butip.dst
. Maybeip.src
can not too, but I have not check it yet.