Firewall DNS issues

[Fry-kun]

I was playing around in ssh session, and noticed that curl/ping to localhost doesn't work.

This led me to discovering that iptables is rejecting requests to 127.0.0.1:

root@OpenCentauri:~# iptables-save 
# Generated by iptables-save v1.4.21 on Thu Jan  1 12:30:06 1970
*filter
:INPUT ACCEPT [30931:2152533]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [30467:206409558]
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Jan  1 12:30:06 1970
# Generated by iptables-save v1.4.21 on Thu Jan  1 12:30:06 1970
*mangle
:PREROUTING ACCEPT [31016:2159141]
:INPUT ACCEPT [31010:2157113]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [70568:209545266]
:POSTROUTING ACCEPT [30560:206416058]
COMMIT
# Completed on Thu Jan  1 12:30:06 1970

These seem to be generated by /app/block-update-checks.sh and /app/block-connectivity-checks.sh. While the printer boots up, if the hostnames mentioned in those scripts are not resolvable for some reason*, the rule adds 127.0.0.1 as the destination IP address (instead of something more useful).
This could be an issue when user's network is unstable -- or e.g. router takes longer to boot up than the printer after a power outage. In such case, letting user believe that there's no connectivity is really bad, since the printer can actually access anything it wants.

Also, resolving the hostnames with rules like these is very prone to error. Large scale sites like google.com have many reasons to change their IPs over geo and over time -- so blocking google.com with iptables -A OUTPUT -d google.com -j REJECT doesn't achieve the desired effect.

• In my case, I don't want the printer to access internet at all; I'm much happier if it's a local-network-only appliance.

[suchmememanyskill]

You're right. With the patches we apply to the app blocking these is probably unnesesary now. I'll remove both blocking scripts. Thanks!

[prokrypt]

I removed the blocking scripts and have the following in my /etc/hosts:

127.0.0.1 localhost
# Block automatic software updates from Elegoo
127.0.0.1 mms.chituiot.com

# Block connectivity checks
127.0.0.1 detectportal.firefox.com
127.0.0.1 www.msftconnecttest.com
127.0.0.1 www.apple.com
127.0.0.1 captive.apple.com
127.0.0.1 connectivitycheck.gstatic.com
127.0.0.1 www.google.com
127.0.0.1 google.com
127.0.0.1 www.google-analytics.com
127.0.0.1 wifi.vivo.com.cn
127.0.0.1 connectivitycheck.platform.hicloud.com
127.0.0.1 connect.rom.miui.com

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters