master
parent
d0ee1bcfbb
commit
8a72b5b9cd
|
@ -38,6 +38,12 @@ source "${FWCONFIGDIR}/chains.conf"
|
|||
source "${FWCONFIGDIR}/ipv4.conf"
|
||||
source "${FWCONFIGDIR}/ipv6.conf"
|
||||
|
||||
# The local.conf file can be used to override any of the above files without having to worry
|
||||
# about changes being overwritten when upgrading. Mostly useful for people who use a package
|
||||
# manager.
|
||||
[[ -e "{FWCONFIGDIR}/local.conf" ]] && source "{FWCONFIGDIR}/local.conf"
|
||||
|
||||
|
||||
# We require at least bash v3 or later at this point given some of the more complex
|
||||
# operations we do to make the firewall script work.
|
||||
if (( ${BASH_VERSINFO[0]} <= "2" )); then
|
||||
|
|
|
@ -232,12 +232,21 @@ function allow_dnsclient_manual {
|
|||
esac
|
||||
DNS_SERVERS="$2"
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
|
||||
use_conntrack="no"
|
||||
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
|
||||
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
|
||||
for i in ${DNS_SERVERS}; do
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${i} to DNS client trusted list"
|
||||
${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
|
||||
${VER_IPTABLES} -A ${InPreRules} -p udp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
|
||||
${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
|
||||
${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
|
||||
if [[ ${use_conntrack} == "yes" ]]; then
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to conntrack list for DNS traffic"
|
||||
${VER_IPTABLES} -A ${OutPreRules} -p udp -d ${i} --dport 53 ${M_STATE} ${C_STATE} NEW,ESTABLISHED -j ACCEPT
|
||||
${VER_IPTABLES} -A ${InPreRules} -p udp -s ${i} --sport 53 ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
|
||||
else
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${i} to DNS client trusted list"
|
||||
${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
|
||||
${VER_IPTABLES} -A ${InPreRules} -p udp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
|
||||
#${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
|
||||
#${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
|
||||
fi
|
||||
done
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue