On 08/05/2017 03:42 AM, Paolo Prandini wrote:
> I want to leave DNS queries and responses pass through
> blrules restrictions so I wrote in blrules
> 
> ACCEPT  net             $FW udp   53
> ACCEPT  net             $FW tcp   53
> ACCEPT  $FW             net             udp 53
> ACCEPT  $FW             net             tcp 53
> DROP            net:+Blacklist          all
> DROP            net:+Blacklist          loc
> DROP            net:+Blacklist          $FW
> DROP            $FW                     net:+Blacklist
> DROP            loc                     net:+Blacklist
> DROP            all                     net:+Blacklist
> 
> but it seems they are blocked anyway, I get
> 
> Error sending reply with sendto (socket=5): Operation not permitted
> 

Are DNS queries from the firewall to the net accepted by your rules
and/or policies? In the blrules file, ACCEPT simply excludes the
matching packets from being processed by the rest of the blrules
entries; it doesn't cause them to be accepted.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to