# Local Unbound Config - not working.



## Sub4sub (Apr 19, 2022)

I am trying to configure, local_unbound. 

1. I added `local_unbound_enable="YES"` to the file /etc/rc.conf and turned it on.

2.  I specified the DNS server address as OpenDNS on file /var/unbound/forward.conf


```
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.

forward-zone:
        name: .
        forward-addr: 208.67.222.222
        forward-addr: 208.67.220.220
```

3. I specified the local DNS server address in the  /etc/resolv.conf file to the local address of the Unbound server. 


```
nameserver 127.0.0.1
options edns0
```


4. But unfortunately it does not ping

```
# ping google.com
ping: Unknown host
```

It does not ping after reboot either.


----------



## DutchDaemon (Apr 19, 2022)

Sounds like Unbound isn't running, check with `sockstat -l4p53` and `service local_unbound status`.


----------



## Sub4sub (Apr 19, 2022)

It is on and listening, there is no communication between the defined DNS server and Unbound.


```
root@router:~ # sockstat -l4p53
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
unbound  local-unbo 7070  3  udp4   127.0.0.1:53          *:*
unbound  local-unbo 7070  4  tcp4   127.0.0.1:53          *:*
unbound  local-unbo 7070  5  udp4   192.168.1.46:53       *:*
unbound  local-unbo 7070  6  tcp4   192.168.1.46:53       *:*
nobody   dnsmasq    82276 8  udp4   *:53                  *:*
nobody   dnsmasq    82276 9  tcp4   *:53                  *:*
root@router:~ # service local_unbound status
/etc/rc.d/local_unbound: DEBUG: checkyesno: local_unbound_enable is set to YES.
local_unbound is running as pid 7070.
root@router:~ # sockstat -4 | grep unbound
unbound  local-unbo 7070  3  udp4   127.0.0.1:53          *:*
unbound  local-unbo 7070  4  tcp4   127.0.0.1:53          *:*
unbound  local-unbo 7070  5  udp4   192.168.1.46:53       *:*
unbound  local-unbo 7070  6  tcp4   192.168.1.46:53       *:*
root@router:~ # ping google.com
ping: Unknown host
root@router:~ #
```


----------



## mer (Apr 19, 2022)

Try running a tcpdump in one window and see if packets are getting sent to the 208.67.x.y addresses when you do the ping.

What if instead of the 127.0.0.1 in resolv.conf, you put in the 208.67.x.y addresses?  Does google.com resolve then?

What are the 2 dnsmasq processes running?  Can you stop them?


----------



## DutchDaemon (Apr 19, 2022)

Either unbound or dnsmasq (indeed, why is that running?) should have complained about port 53 already being bound to.


----------



## chrbr (Apr 19, 2022)

I do not run unbound from the base system but from the package repository. I do not use forward.conf. And I do not have

```
options ends0
```
in /etc/resolv.conf. I also have not found this option in resolv.conf(5). But before trying my config better follow the advice of DutchDaemon. He is the guru, not me .


----------



## DutchDaemon (Apr 19, 2022)

```
options edns0
```
 is a standard part of the automated setup of the local unbound process. It basically allows resolving to use more modern/advanced options (because unbound supports them).


----------



## Sub4sub (Apr 19, 2022)

I have the router as a separate computer. It is plugged into the DMZ of the operator's router, because it has TV on Vlan.


```
root@router:~ # ifconfig -a
igb0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4e507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        ether CENZORED
        inet SOMEIP netmask 0xffffff00 broadcast SOMEIP
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb1: flags=8822<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4e507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        ether CENZORED
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb2: flags=8822<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4e507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        ether CENZORED
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb3: flags=8822<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4e507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        ether CENZORED
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether CENZORED
        inet SOME_EXT_IP netmask 0xffffff00 broadcast SOME_EXT_IP
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wlan0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether CENZORED
        groups: wlan
        ssid "" channel 1 (2412 MHz 11b)
        regdomain FCC country US authmode OPEN privacy OFF txpower 30
        bmiss 10 scanvalid 60 wme bintval 0
        parent interface: iwn0
        media: IEEE 802.11 Wireless Ethernet autoselect (autoselect)
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

root@router:~ #
```

`re0` is set as a fixed input for Internet connections from the operator's router.

Internal lan network is set to `igb0` and DNSMASq runs on this output. I am not setting it up yet. And it should not be associated with local_unbound.

I want to run local_unbound to make it work for now locally.

============================================

I disabled DNSmasq and set the local IP addresses of the computer I am writing from.
I made a TCPdump on address re0:





```
root@router:~ # sockstat -l4p53
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
unbound  local-unbo 1289  3  udp4   127.0.0.1:53          *:*
unbound  local-unbo 1289  4  tcp4   127.0.0.1:53          *:*
unbound  local-unbo 1289  5  udp4   192.168.1.46:53       *:*
unbound  local-unbo 1289  6  tcp4   192.168.1.46:53       *:*
root@router:~ # service local_unbound status
/etc/rc.d/local_unbound: DEBUG: checkyesno: local_unbound_enable is set to YES.
local_unbound is running as pid 1289.
root@router:~ # sockstat -4 | grep unbound
unbound  local-unbo 1289  3  udp4   127.0.0.1:53          *:*
unbound  local-unbo 1289  4  tcp4   127.0.0.1:53          *:*
unbound  local-unbo 1289  5  udp4   192.168.1.46:53       *:*
unbound  local-unbo 1289  6  tcp4   192.168.1.46:53       *:*
root@router:~ #
```

Unchanged

`options edns0` is set.

if I give the dns address to /etc/resolv.conf and block `chflags schg` changes, it works.


----------



## DutchDaemon (Apr 19, 2022)

Run (in a separate session), `tcpdump -s 0 -pnli re0 dst port 53 and dst net 208.67.216.0/21` and see whether any DNS requests actually make it out at all.  If so, drop the dst port 53 and dst  portion of it and see whether it's a two-way street

By the way, your dnsmasq process was bound to *:53, not to one interface specifically (e,g, 10.1.1.1:53), so it cannot have been optimal.


----------



## Sub4sub (Apr 19, 2022)

A little strange. /usr/local/etc/dnsmasq.conf

```
domain-needed

server=8.8.8.8
server=8.8.4.4

dhcp-range=set:igb0,192.168.66.60,192.168.66.221,255.255.255.0,24h
dhcp-option=igb0,option:router,192.168.66.60
```
I also configured named, but lost the config.
DNSmasq works all the time, named, opened allocated and closed, was better.

=================================================


When I force a ping nothing happens.


There are records coming from local network when, for example, I post a comment.



Also localhost (lo0)


----------



## DutchDaemon (Apr 19, 2022)

Try `dig @127.0.0.1 A www.freebsd.org` (or, `drill` if you don't have dig). To me it still looks like nothing is actually picking up DNS requests at localhost.


----------



## Sub4sub (Apr 19, 2022)

```
root@router:~ # dig @127.0.0.1 A www.freebsd.org
net.c:538: probing sendmsg() with IP_TOS=b8 failed: Permission denied
net.c:538: probing sendmsg() with IPV6_TCLASS=b8 failed: Permission denied

; <<>> DiG 9.16.27 <<>> @127.0.0.1 A www.freebsd.org
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

root@router:~ #
```


----------



## mer (Apr 19, 2022)

Is there any log for the unbound process?  
The dnsmasq process is listening on all interfaces on port 53; as we've posited before, perhaps that is affecting the local unbound process.  
I would stop the dnsmasq service, stop local unbound, start local unbound and do the dig command DutchDaemon gave.  
If that works, then the root cause of the issue is something going on between dnsmasq and unbound.


----------



## DutchDaemon (Apr 19, 2022)

Or else you're looking at a possible jail issue, if you're using those (like https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220550).


----------



## Sub4sub (Apr 19, 2022)

> I would stop the dnsmasq service


I disabled DNSmasq it a long time ago.
I don't use jail. 


In this https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220550#c3 link in comment three, Mr. miguelmclara writes:



> So I see this since I upgraded my host to 11.1 (I also have jails but this is in the host it self)
> 
> % dig google.com
> net.c:594: probing sendmsg() with IP_TOS=b8 failed: Permission denied
> ...




I can't do that because I have NAT set up on PF and I'm cutting off from the router. I set up NAT in IPFW mixing ports and gave up on it. 

My main firewall is IPFW which currently only blocks ports where something is on (SSH, samba and some server). A bit of an inelegant solution and I want to change it.


```
ext_if="re0"
int_if="igb0"

#TOR1
rdr pass on $int_if proto tcp from any to any port 1234 -> $int_if
rdr pass on $int_if proto tcp from any port 8080 to any -> $int_if
rdr pass on $int_if proto tcp from any port 445 to any -> $int_if
rdr pass on $int_if proto tcp from any port 139 to any -> $int_if
rdr pass on $int_if proto tcp from any port 138 to any -> $int_if
rdr pass on $int_if proto tcp from any port 137 to any -> $int_if
rdr pass on $int_if proto tcp from any port 631 to any -> $int_if

#rdr pass on $int_if proto tcp from any to any -> 127.0.0.1 port 9050
#rdr pass on $int_if proto tcp from any to any -> 127.0.0.1 port 9050
#rdr pass on $int_if proto tcp from any to any port 53 -> 127.0.0.1 port 9053
#rdr pass on $int_if proto udp from any to any port 53 -> 127.0.0.1 port 9053

set skip on lo
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
```

These two lines are responsible for switching everything that enters the router to the TOR port, works, bypasses DNSmasq and even rigid connection set in the system.


```
#rdr pass on $int_if proto tcp from any to any port 53 -> 127.0.0.1 port 9053
#rdr pass on $int_if proto udp from any to any port 53 -> 127.0.0.1 port 9053
```

Maybe this rule needs to be modified, because it seems strange to me that NAT is set on the output of the router.

```
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
```

I'm still watching this video, maybe it will work




_View: https://www.youtube.com/watch?v=1OkpvQsdm24_


----------



## Sub4sub (Apr 19, 2022)

So I made from this tutorial. This is unbound not local_unbound.

I disabled local_unbound in the file /usr/local/etc/unbound/unbound.conf which is the configuration file for unbound not for local_unbound

Was added:


```
server:

        interface: 0.0.0.0

        access-control: 192.168.0.0/24 allow
        access-control: 127.0.0.1 allow
        access-control: 10.1.0.0/24 allow


forward-zone:

        name: "."

        forward-addr: 208.67.222.222
        forward-addr: 208.67.220.220
        forward-first: yes
```

According to the checkconfig guide, no errors were print


```
root@router:~ # unbound-checkconf
unbound-checkconf: no errors in /usr/local/etc/unbound/unbound.conf
root@router:~ #
```

Sockstat showed unbound listening on port 53.


```
root@router:~ # sockstat -l4p53
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
unbound  unbound    40543 3  udp4   *:53                  *:*
unbound  unbound    40543 4  tcp4   *:53                  *:*
root@router:~ #
```

According to the guide, the address of the gateway was entered in the cmd.exe console, in this case 10.1.1.1



```
C:\Users\pc>nslookup
Default Server:  dns.google
Address:  8.8.8.8

> server 10.1.1.1
Default Server:  [10.1.1.1]
Address:  10.1.1.1

>
```

Then the tcp dump was enabled

```
tcpdump -ni igb0 udp port 53
```


```
root@router:~ # tcpdump -ni igb0 udp port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:18:42.604133 IP 10.1.1.132.60639 > 10.1.1.1.53: 7+ A? google.com. (28)
18:18:42.604286 IP 10.1.1.1.53 > 10.1.1.132.60639: 7 Refused- [0q] 0/0/0 (12)
18:18:42.604529 IP 10.1.1.132.60640 > 10.1.1.1.53: 8+ AAAA? google.com. (28)
18:18:42.604666 IP 10.1.1.1.53 > 10.1.1.132.60640: 8 Refused- [0q] 0/0/0 (12)
18:18:42.604940 IP 10.1.1.132.60641 > 10.1.1.1.53: 9+ A? google.com. (28)
18:18:42.605010 IP 10.1.1.1.53 > 10.1.1.132.60641: 9 Refused- [0q] 0/0/0 (12)
18:18:42.605197 IP 10.1.1.132.60642 > 10.1.1.1.53: 10+ AAAA? google.com. (28)
18:18:42.605235 IP 10.1.1.1.53 > 10.1.1.132.60642: 10 Refused- [0q] 0/0/0 (12)
^C
8 packets captured
31 packets received by filter
0 packets dropped by kernel
root@router:~ #
```

Also not working locally

===========================================

I copied the config from unbound to local_unbound this is from the location

/usr/local/etc/unbound/unbound.conf

to

/var/unbound/unbound.conf

And returned errors:


```
root@router:~ # service local_unbound onestart
/etc/rc.d/local_unbound: DEBUG: pid file (/var/run/local_unbound.pid): not readable.
/etc/rc.d/local_unbound: DEBUG: checkyesno: local_unbound_enable is set to YES.
/etc/rc.d/local_unbound: DEBUG: run_rc_command: start_precmd: local_unbound_prestart
Starting local_unbound.
/etc/rc.d/local_unbound: DEBUG: run_rc_command: doit:  limits -C daemon  /usr/sbin/local-unbound -c /var/unbound/unbound.conf
/etc/rc.d/local_unbound: DEBUG: run_rc_command: start_postcmd: local_unbound_poststart
Waiting for nameserver to start...[1650385848] unbound-control[83365:0] warning: control-enable is 'no' in the config file.
[1650385848] unbound-control[83365:0] error: connect: Permission denied for 127.0.0.1 port 8953
.[1650385849] unbound-control[84845:0] warning: control-enable is 'no' in the config file.
[1650385849] unbound-control[84845:0] error: connect: Permission denied for 127.0.0.1 port 8953
.[1650385850] unbound-control[87055:0] warning: control-enable is 'no' in the config file.
[1650385850] unbound-control[87055:0] error: connect: Permission denied for 127.0.0.1 port 8953
.[1650385851] unbound-control[88648:0] warning: control-enable is 'no' in the config file.
[1650385851] unbound-control[88648:0] error: connect: Permission denied for 127.0.0.1 port 8953
.[1650385852] unbound-control[90356:0] warning: control-enable is 'no' in the config file.
[1650385852] unbound-control[90356:0] error: connect: Permission denied for 127.0.0.1 port 8953
 giving up
root@router:~ #
```

So I added the remote control section to the file
/var/unbound/unbound.conf


```
remote-control:
        control-enable: yes
        control-use-cert: no
```

And I got this:


```
root@router:~ # service local_unbound onestart
/etc/rc.d/local_unbound: DEBUG: pid file (/var/run/local_unbound.pid): not readable.
/etc/rc.d/local_unbound: DEBUG: checkyesno: local_unbound_enable is set to YES.
/etc/rc.d/local_unbound: DEBUG: run_rc_command: start_precmd: local_unbound_prestart
Starting local_unbound.
/etc/rc.d/local_unbound: DEBUG: run_rc_command: doit:  limits -C daemon  /usr/sbin/local-unbound -c /var/unbound/unbound.conf
/etc/rc.d/local_unbound: DEBUG: run_rc_command: start_postcmd: local_unbound_poststart
Waiting for nameserver to start...[1650386306] unbound-control[13019:0] error: connect: Permission denied for 127.0.0.1 port 8953
.[1650386307] unbound-control[13225:0] error: connect: Permission denied for 127.0.0.1 port 8953
.[1650386308] unbound-control[13687:0] error: connect: Permission denied for 127.0.0.1 port 8953
.[1650386309] unbound-control[14113:0] error: connect: Permission denied for 127.0.0.1 port 8953
.[1650386310] unbound-control[14243:0] error: connect: Permission denied for 127.0.0.1 port 8953
 giving up
root@router:~ #
```

*How to unblock this port for local_unbound because I assume it is his port?*
Interestingly, the second time does not turn on because the port is in use.


```
root@router:~ # service local_unbound onestart
/etc/rc.d/local_unbound: DEBUG: pid file (/var/run/local_unbound.pid): not readable.
/etc/rc.d/local_unbound: DEBUG: checkyesno: local_unbound_enable is set to YES.
/etc/rc.d/local_unbound: DEBUG: run_rc_command: start_precmd: local_unbound_prestart
Starting local_unbound.
/etc/rc.d/local_unbound: DEBUG: run_rc_command: doit:  limits -C daemon  /usr/sbin/local-unbound -c /var/unbound/unbound.conf
[1650386462] local-unbound[20985:0] error: bind: address already in use
[1650386462] local-unbound[20985:0] fatal error: could not open ports
/etc/rc.d/local_unbound: WARNING: failed to start local_unbound
root@router:~ #
```

edit:

The problem lies with IPFW
I turn it off for a while and it worked


```
root@router:~ # ping google.com
PING google.com (142.250.203.142): 56 data bytes
64 bytes from 142.250.203.142: icmp_seq=0 ttl=118 time=9.386 ms
64 bytes from 142.250.203.142: icmp_seq=1 ttl=118 time=13.587 ms
64 bytes from 142.250.203.142: icmp_seq=2 ttl=118 time=8.222 ms
64 bytes from 142.250.203.142: icmp_seq=3 ttl=118 time=10.099 ms
64 bytes from 142.250.203.142: icmp_seq=4 ttl=118 time=11.017 ms
^C
--- google.com ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 8.222/10.462/13.587/1.810 ms
root@router:~ #
```


----------



## Sub4sub (Apr 19, 2022)

What command should I enter to check if it hashes DNS records?

I will just pull out the etherent cable and check offline.
And in what file does unbound or local_unbound store the records?


----------



## chrbr (Apr 19, 2022)

You can increase the verbose level in the config file. Unbound must be restarted or reload the config file. Then you will find lines as below in the log.

```
Apr 19 17:10:14 <daemon.info> celsius unbound[10523]: [10523:0] info: found in cache ns.heise.de. A IN
```
I am not sure if the records are stored in a file.


----------



## Sub4sub (Apr 19, 2022)

The firewall was sloppily done. That's why it didn't work.
So far local_unbound, now want to set unbound for LAN.

On this file it works /etc/ipfw.rules


```
ipfw -q -f flush

ext_if="re0"
int_if="igb0"
my_ip="192.168.1.46"

#ipfw -q add 100 allow log all from any to any
#ipfw -q add 200 deny icmp from any to any

#IPv6
ipfw -q add 300 deny ipv6 from any to any
ipfw -q add 400 deny all from any to any frag

#LOOPBACK lo0
ipfw -q add 500 allow all from any to any via lo0

#NTPDATE
#ipfw -q add 600 allow udp from $my_ip to any dst-port 123 out keep-state

#EXTERNAL INTERFACE
ipfw -q add 900 allow tcp from any 9001 to $my_ip in via $ext_if
ipfw -q add 1000 allow tcp from any 9030 to $my_ip in via $ext_if
ipfw -q add 1100 allow tcp from $my_ip to any 9001 out via $ext_if
ipfw -q add 1200 allow tcp from $my_ip to any 9030 out via $ext_if

ipfw -q add 1210 allow tcp from $my_ip to any 53 out setup keep-state via $ext_if
ipfw -q add 1220 allow udp from $my_ip to any 53 out keep-state via $ext_if

ipfw -q add 1300 deny all from any to any in via $ext_if

ipfw -q add 1400 allow udp from $my_ip to any 68 out keep-state via $ext_if
ipfw -q add 1500 allow udp from $my_ip to any 67 out keep-state via $ext_if

ipfw -q add 2000 allow tcp from $my_ip to any 80 out setup keep-state via $ext_if
ipfw -q add 2100 allow tcp from $my_ip to any 443 out setup keep-state via $ext_if

ipfw -q add 2200 deny all from any to any via $ext_if

#INTERIAL INTERFACE
ipfw -q add 2300 allow tcp from 10.1.1.0/24 to 10.1.1.1 1234 in via $int_if
ipfw -q add 2400 allow tcp from 10.1.1.1 1234 to 10.1.1.0/24 out via $int_if

ipfw -q add 2500 allow tcp from 10.1.1.1 445 to 10.1.1.0/24 out via $int_if
ipfw -q add 2600 allow tcp from 10.1.1.1 139 to 10.1.1.0/24 out via $int_if
ipfw -q add 2700 allow udp from 10.1.1.1 138 to 10.1.1.0/24 out via $int_if
ipfw -q add 2800 allow udp from 10.1.1.1 137 to 10.1.1.0/24 out via $int_if

ipfw -q add 2900 allow tcp from 127.0.0.1 9050 to 10.1.1.0/24 out via $int_if
ipfw -q add 3000 allow udp from 127.0.0.1 9053 to 10.1.1.0/24 out via $int_if

ipfw -q add 3100 deny all from any to any out via $int_if

ipfw -q add 3200 allow udp from 10.1.1.0/24 to any 68 in keep-state via $int_if
ipfw -q add 3300 allow udp from 10.1.1.0/24 to any 67 in keep-state via $int_if

ipfw -q add 3400 allow tcp from 10.1.1.0/24 to any 53 in setup keep-state via $int_if
ipfw -q add 3500 allow udp from 10.1.1.0/24 to any 53 in keep-state via $int_if

ipfw -q add 3600 allow tcp from 10.1.1.0/24 to any 80 in setup keep-state via $int_if
ipfw -q add 3700 allow tcp from 10.1.1.0/24 to any 443 in setup keep-state via $int_if

ipfw -q add 3800 allow tcp from 10.1.1.0/24 to 10.1.1.1 445 in via $int_if
ipfw -q add 3900 allow tcp from 10.1.1.0/24 to 10.1.1.1 139 in via $int_if
ipfw -q add 4000 allow udp from 10.1.1.0/24 to 10.1.1.1 137 in via $int_if
ipfw -q add 4100 allow udp from 10.1.1.0/24 to 10.1.1.255 137 in via $int_if

ipfw -q add 4200 allow tcp from 10.1.1.0/24 to 10.1.1.1 dst-port 8080 in setup keep-state via $int_if

ipfw -q add 4300 deny all from any to any via $int_if

#BLOCKING
ipfw -q add 4400 deny all from 10.0.0.0/8 to any
ipfw -q add 4500 deny all from any to 10.0.0.0/8

ipfw -q add 4600 deny all from 192.168.0.0/16 to any
ipfw -q add 4700 deny all from any to 192.168.0.0/16

ipfw -q add 4800 deny all from 172.16.0.0/16 to any
ipfw -q add 4900 deny all from any to 172.16.0.0/16

ipfw -q add 5000 deny all from 172.17.0.0/16 to any
ipfw -q add 5100 deny all from any to 172.17.0.0/16

ipfw -q add 5200 deny all from 172.18.0.0/16 to any
ipfw -q add 5300 deny all from any to 172.18.0.0/16

ipfw -q add 5400 deny all from 172.19.0.0/16 to any
ipfw -q add 5500 deny all from any to 172.19.0.0/16

ipfw -q add 5600 deny all from 172.20.0.0/16 to any
ipfw -q add 5700 deny all from any to 172.20.0.0/16

ipfw -q add 5800 deny all from 172.21.0.0/16 to any
ipfw -q add 5900 deny all from any to 172.21.0.0/16

ipfw -q add 6000 deny all from 172.22.0.0/16 to any
ipfw -q add 6100 deny all from any to 172.22.0.0/16

ipfw -q add 6200 deny all from 172.23.0.0/16 to any
ipfw -q add 6300 deny all from any to 172.23.0.0/16

ipfw -q add 6400 deny all from 172.24.0.0/16 to any
ipfw -q add 6500 deny all from any to 172.24.0.0/16

ipfw -q add 6600 deny all from 172.25.0.0/16 to any
ipfw -q add 6700 deny all from any to 172.25.0.0/16

ipfw -q add 6800 deny all from 172.26.0.0/16 to any
ipfw -q add 6900 deny all from any to 172.26.0.0/16

ipfw -q add 7000 deny all from 172.27.0.0/16 to any
ipfw -q add 7100 deny all from any to 172.27.0.0/16

ipfw -q add 7200 deny all from 172.28.0.0/16 to any
ipfw -q add 7300 deny all from any to 172.28.0.0/16

ipfw -q add 7400 deny all from 172.29.0.0/16 to any
ipfw -q add 7500 deny all from any to 172.29.0.0/16

ipfw -q add 7600  deny all from 172.30.0.0/16 to any
ipfw -q add 7700 deny all from any to 172.30.0.0/16

ipfw -q add 7800 deny all from 172.31.0.0/16 to any
ipfw -q add 7900 deny all from any to 172.31.0.0/16

ipfw -q add 8000 deny all from any to any
```

local_unbound hash records


```
root@router:~ # ping google.com
PING google.com (142.250.203.142): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
^C
--- google.com ping statistics ---
9 packets transmitted, 0 packets received, 100.0% packet loss
root@router:~ # ping google.com
PING google.com (142.250.203.142): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host
^C
--- google.com ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss
root@router:~ #
```


----------



## Sub4sub (Apr 19, 2022)

That was my mistake. The tutorial said 192.168.0.0/24 and I have 10.1.1.0/24. I didn't count and rewrote without thinking hence it didn't work.

I configured local_unbound to work with TOR by giving it to a file:
/var/unbound/unbound.conf
`forward-addr: 127.0.0.1@9053`

That is, the port on which TOR runs
It works and pings to previous unchecked sites.



```
server:
        interface: igb0
        access-control: 127.0.0.1 allow
        access-control: 10.1.1.0/24 allow

forward-zone:
        name: "Router"
        forward-addr: 127.0.0.1@9053
        forward-first: yes

remote-control:
        control-enable: yes
        control-use-cert: no
        control-interface: 127.0.0.1
```


----------

