[CentOS] connection state tracking with DNS [was Primary DNS...]

Sat Apr 15 02:23:01 UTC 2017

On 04/14/2017 06:54 PM, Gordon Messmer wrote:
> On 04/11/2017 04:16 PM, Alice Wonder wrote:
>> Hi, I would like to see this addressed.
>> Is there a firewalld solution to this issue?
>
>
> Yes:
>
> # Disable connection tracking for UDP DNS traffic
> #
> https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html
>
> firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m
> conntrack --ctstate UNTRACKED -j ACCEPT
> firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m
> conntrack --ctstate UNTRACKED -j ACCEPT
> firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p
> udp -m udp --dport 53 -j CT --notrack
> firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p
> udp -m udp --sport 53 -j CT --notrack
> firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp
> -m udp --dport 53 -j CT --notrack
> firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp
> -m udp --sport 53 -j CT --notrack
> firewall-cmd --reload
>
>

Thank you!