On Tue, Mar 08, 2022 at 05:35:54PM +0300, Andrei Borzenkov wrote:
On 08.03.2022 17:31, Eric Garver wrote:
> On Sun, Mar 06, 2022 at 11:26:38PM +0100, Koen Drai wrote:
>> Hi,
>>
>> I am running an AdGuard Home DNS server in my home network (on Debian 11, which
is v0.9.3).
>>
>> Works fine so far, but I am getting the following error messages in syslog:
>> Mar 6 20:48:33 fook kernel: [160941.334608] "filter_IN_knet_REJECT:
"IN=enp2s0 OUT= MAC=<MAC> SRC=5.9.164.112 DST=192.168.1.1 LEN=40 TOS=0x00
PREC=0x00 TTL=53 ID=0 DF PROTO=TCP SPT=853 DPT=46170 WINDOW=0 RES=0x00 RST URGP=0
>
> A TCP RESET will be sent if the remote/server does not have a socket
> listening on that port. This may indicate the packet passes through the
> firewall, but no service is listening.
>
In this case it should be sent in response to connection request so it
should be related packet. Why is it rejected then?
My mistake. My colleague says it will be established.
>> However, this request should not be rejected according to
the configuration:
>>
>> /etc/firewalld/zones/knet.xml
>> (...)
>> <rule family="ipv4">
>> <!-- 853 TCP AdGuard Home-->
>> <source-port port="853" protocol="tcp"/>
>> <accept/>
>> </rule>
>> (...)
>
> This is using _source_ port. If this node is running a DNS-over-TLS
> service then you want to use `<port ... />` instead.
Can you describe your setup a bit more?
Is the AdGuard Home DNS server the same node running firewalld?
Is the tcpdump also from that machine?