Red Hat Bugzilla – Bug 65993
ifup-post and TCP DNS
Last modified: 2014-03-16 22:27:47 EDT
This is really low priority and I haven't been bitten by it, but just noticed
that ifup-post only punches the incoming UDP DNS traffic through the local
firewall, and the IPCHAINS-HOWTO has a small chapter related to outgoing TCP
DNS connections .
Maybe it would be good to make ifup-post do something like:
ipchains -I output -s 0/0 1024:65535 -d $nameserver/32 53 -p tcp -y -j ACCEPT
...so DNS would also work in cases where there are some restrictions on
outgoing traffic. Maybe also the corresponding rule with source port 53, and
the "-p tcp ! -y" input from these servers.
Closing, stateful connection handling takes care of this.
Yes, if the default config allows outgoing TCP connections to the DNS server,
and incoming related "replies". That's what I meant by "some restrictions on
outgoing traffic", IIRC.
No need to reopen though, as said this is a very low priority one, and people
should probably be taking care of it themselves if they place that restrictive
default rules. Just confirming that I understood your point.