NAT32

Reference Manual

Refresh Back

NAME

restrict - Overview of network restriction options
SYNOPSIS
allow [on | off] | [ifn [proto [port [delete]]]]
isolate [ifn [on | off | flag]]
white [ifn [on | off | flag]]

 

...
DESCRIPTION

The restrictions described below all limit certain types of traffic flowing between the Internet and all machines connected to the network of a specific interface. To filter traffic on a machine-specific basis see the setf command.

allow

This command can be used to specify UDP or TCP destination port numbers that are allowed to be mapped. All other traffic over the specified interface will be silently discarded. After adding ports, the feature can be turned on (to selectively map ports) or off (to map all ports) as needed.

isolate

This command can be used to block data transfers between private networks. Machines on an isolated network can communicate with the Internet and amongst themselves, but they cannot communicate with machines on another network. A value of 2 for argument flag also blocks access to NAT32 honeypot processes.

white

This command can be used to specify that only white-listed name requests from the specified interface are to be resolved. Special local names like nat32.box will always be resolved, except if a flag value of 2 is specified.

NOTES

Some web browsers use TCP port 80 traffic to perform certificate revocation checks. It is therefore necessary to allow TCP port 80 and TCP port 443 in such cases.

Some web browsers use the QUIC protocol over UDP ports 80 and 443 to contact web servers. For users who value their privacy, those UDP ports should be blocked.

Some systems use encrypted Domain Name resolution. For users who value privacy, the ideal place to do encrypted name resolution is within the external router. That way, NAT32 DNS filtering remains functional. Many Internet routers (such as the FritzBox) support encrypted DNS protocols such as DNS over TLS, as do DNS resolvers such as PiHole.

SEE ALSO
IP filters, Throttle, PiHole, PiHole Admin Back