DNS Forwarder, IP Pools, and pf Tables¶
This page documents the implemented t1n1wall workflow where DNS resolution can feed firewall policy.
What this feature does¶
- DNS forwarder (
dnsmasq) resolves configured domains. - Resolved addresses are inserted into configured IP Pools.
- IP Pools are enforced as pf tables in firewall rules.
This allows policy decisions based on DNS-resolved targets instead of static IP lists.
Where to configure it¶
- Create IP Pools and members in Firewall IP Pool pages.
- In
Services > DNS forwarder, add IP Pool map entries: - Domain/FQDN to monitor
- Target IP Pool
- Use that IP Pool in firewall rules as source or destination network.
How it is implemented (code behavior)¶
- DNS forwarder config writes
ipset=/domain/poolidentries. - Filter logic renders IP Pools as pf table definitions.
- pf tables are loaded during filter apply.
Practical implication: if domain mapping is wrong or DNS queries do not pass through this firewall, policy matching will fail even when rules look correct.
Validation checklist¶
- Confirm domain mapping entry exists in DNS forwarder.
- Confirm clients use this firewall DNS forwarder path.
- Confirm firewall rule references the expected IP Pool.
- Confirm pf tables include expected resolved addresses.
- Generate test traffic and confirm expected pass/block logs.
Common failure cases¶
- Domain typo or wrong scope (mapping not matching actual query name)
- Clients using external DNS directly (bypassing local dnsmasq)
- IP Pool not referenced by any policy rule
- Stale assumptions about old ipfilter terminology instead of pf table behavior