Firewall behaviour is strange on one of my systems

Gordon Messmer gordon.messmer at gmail.com
Wed Oct 28 17:00:33 UTC 2015


On 10/28/2015 09:24 AM, Rick Stevens wrote:
> You have a DNS resolution issue.

It's probably an mDNS issue, and replies should normally be allowed by 
the default "accept RELATED,ESTABLISHED" rule.

It might be helpful to see the output of "iptables -L -n -v".

> With the firewall enabled, as root,
> try:
>     # iptables -L -n | grep :53
> and make sure you see lines like:
>     ACCEPT  udp  --  0.0.0.0/0    0.0.0.0/0            udp dpt:53
>     ACCEPT  tcp  --  0.0.0.0/0    0.0.0.0/0            tcp dpt:53

You'll normally only see those lines when you're running virtualization, 
or a DNS server.  They aren't necessary for mDNS, which uses a different 
port entirely.

I suspect that you see them because you're running libvirt.  If you use 
"iptables -v", you would see that those rules only affect packets on the 
virbr0 interface.  They're not related to your non-virtualized 
applications (or to mDNS in any case).

> Also make sure avahi-daemon and dnsmasq are running.

If mDNS is working when the firewall is down, we can assume that 
avahi-daemon is running.  dnsmasq is not required for mDNS.



More information about the users mailing list