Re: connection state tracking with DNS [was Primary DNS...]

[Alice Wonder <alice@xxxxxxxxxxxxxx>]

On 04/14/2017 06:54 PM, Gordon Messmer wrote:
> On 04/11/2017 04:16 PM, Alice Wonder wrote:
> > Hi, I would like to see this addressed.
> > Is there a firewalld solution to this issue?
>
>
> Yes:
>
> # Disable connection tracking for UDP DNS traffic
> #
> https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html
>
> firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m
> conntrack --ctstate UNTRACKED -j ACCEPT
> firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m
> conntrack --ctstate UNTRACKED -j ACCEPT
> firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p
> udp -m udp --dport 53 -j CT --notrack
> firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p
> udp -m udp --sport 53 -j CT --notrack
> firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp
> -m udp --dport 53 -j CT --notrack
> firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp
> -m udp --sport 53 -j CT --notrack
> firewall-cmd --reload

Thank you!


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos