disabling stateful firewalls for DNS traffic
/dev/rob0
rob0 at gmx.co.uk
Mon Mar 3 03:28:15 UTC 2014
On Mon, Mar 03, 2014 at 09:48:20AM +0800, Drunkard Zhang wrote:
> 2014-03-02 3:04 GMT+08:00 /dev/rob0 <rob0 at gmx.co.uk>:
snip
> > root at tp:~# iptables-save
snip
> > # Generated by iptables-save v1.4.20 on Sat Mar 1 12:42:55 2014
> > *raw
> > :PREROUTING ACCEPT [96:19019]
> > :OUTPUT ACCEPT [118:13918]
> > -A PREROUTING -p udp -m udp --dport 53 -m comment --comment "do not track outbound DNS queries on UDP" -j NOTRACK
> > -A PREROUTING -p udp -m udp --sport 53 -m comment --comment "do not track inbound DNS replies on UDP" -j NOTRACK
> > -A OUTPUT -p udp -m udp --dport 53 -m comment --comment "do not track outbound DNS queries on UDP" -j NOTRACK
> > -A OUTPUT -p udp -m udp --sport 53 -m comment --comment "do not track inbound DNS replies on UDP" -j NOTRACK
>
> The NOTRACK module is deprecating in kernel, the equivalent usage is:
> -A PREROUTING -p udp -m udp --dport 53 -j CT --notrack
Thank you for this. IIRC you are right. Unfortunately the
iptables-extensions manual does not say one way or another, but
I will take your word for it, along with a vague recollection of
something I once read on the Netfilter mailing list.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
More information about the bind-users
mailing list