Hi Eric and Noel, > On Aug 8, 2017, at 8:11 PM, Eric Leblond <eric@xxxxxxxxx> wrote: > > Well, there is a series of mistakes here. First, usual way to write the > rules is to have one rule for established packets (that can also > include related) > > add rule filter input ct state established accept > add rule filter output ct state established accept > > This rule will take care of all replies and other packets. The only > thing you have to do after that is to accept packet that open a > exchange. > > As you want to allow dns resolution, you need to open dns trafic: > > add rule filter output ct state new udp dport domain accept > > Client don't use TCP often but you will indeed need a extra rule if > ever ou want to: > > add rule filter output ct state new tcp dport domain accept Ok, thanks for the correction regarding style. Out of curiosity - was the original syntax I specified logically incorrect (in the sense that there would be errors in my firewall ruleset), as well as being poor style ? I want to follow the convention, I'm just wondering if the way I am forming rules can lead to errors as well. Thanks, - J -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
