On Tue, Mar 08, 2022 at 10:16:46PM +0100, Koen Drai wrote:
Gents,
Thanks again for your support!
On 08/03/2022 21:32, Eric Garver wrote:
> On Tue, Mar 08, 2022 at 05:35:54PM +0300, Andrei Borzenkov wrote:
> > On 08.03.2022 17:31, Eric Garver wrote:
> > > On Sun, Mar 06, 2022 at 11:26:38PM +0100, Koen Drai wrote:
> > > > Hi,
> > > >
> > > > I am running an AdGuard Home DNS server in my home network (on Debian
11, which is v0.9.3).
> > > >
> > > > Works fine so far, but I am getting the following error messages in
syslog:
> > > > Mar 6 20:48:33 fook kernel: [160941.334608]
"filter_IN_knet_REJECT: "IN=enp2s0 OUT= MAC=<MAC> SRC=5.9.164.112
DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=TCP SPT=853 DPT=46170
WINDOW=0 RES=0x00 RST URGP=0
> > >
> > > A TCP RESET will be sent if the remote/server does not have a socket
> > > listening on that port. This may indicate the packet passes through the
> > > firewall, but no service is listening.
> > >
I get the feeling that it is indeed the case "This may indicate the packet passes
through the firewall, but no service is listening."
Got the following response from netstat:
# netstat -v -p -n | grep Ad
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 192.168.1.1:55252 5.9.164.112:853 ESTABLISHED
2486/AdGuardHome
tcp 0 0 192.168.1.1:55266 5.9.164.112:853 ESTABLISHED
2486/AdGuardHome
Log shows e.g. this:
Mar 8 21:56:40 fook kernel: [23772.652824] "filter_IN_knet_REJECT: "IN=enp2s0
OUT= MAC=<MAC> SRC=5.9.164.112 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=53 ID=0
DF PROTO=TCP SPT=853 DPT=55166 WINDOW=0 RES=0x00 RST URGP=0
This log indicates the kernel thinks this TCP RST is not part of an
existing connection. I don't know why.
Seems as if AdGuard Home is changing ports frequently and/or not
informing the queried server about the new port?
The sport changing on the client (AdGuard Home) is normal. Each new
connection/request to your upstream DNS-over-TLS server may use a
different source port.
> > > > However, this request should not be rejected
according to the configuration:
> > > >
> > > > /etc/firewalld/zones/knet.xml
> > > > (...)
> > > > <rule family="ipv4">
> > > > <!-- 853 TCP AdGuard Home-->
> > > > <source-port port="853"
protocol="tcp"/>
> > > > <accept/>
> > > > </rule>
> > > > (...)
I don't think you need this rich rule at all. What is the intent?
Outbound packets (e.g. DoT query) are allowed by default. Return path
(existing connection) packets are allowed by default.