Firewall behaviour is strange on one of my systems
Antonio M
antonio.montagnani at gmail.com
Wed Oct 28 17:07:45 UTC 2015
tbx to all... iptables -L -n -v
see attached file
2015-10-28 18:00 GMT+01:00 Gordon Messmer <gordon.messmer at gmail.com>:
> On 10/28/2015 09:24 AM, Rick Stevens wrote:
>
>> You have a DNS resolution issue.
>>
>
> It's probably an mDNS issue, and replies should normally be allowed by the
> default "accept RELATED,ESTABLISHED" rule.
>
> It might be helpful to see the output of "iptables -L -n -v".
>
> With the firewall enabled, as root,
>> try:
>> # iptables -L -n | grep :53
>> and make sure you see lines like:
>> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
>>
>
> You'll normally only see those lines when you're running virtualization,
> or a DNS server. They aren't necessary for mDNS, which uses a different
> port entirely.
>
> I suspect that you see them because you're running libvirt. If you use
> "iptables -v", you would see that those rules only affect packets on the
> virbr0 interface. They're not related to your non-virtualized applications
> (or to mDNS in any case).
>
> Also make sure avahi-daemon and dnsmasq are running.
>>
>
> If mDNS is working when the firewall is down, we can assume that
> avahi-daemon is running. dnsmasq is not required for mDNS.
>
>
> --
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
>
--
Antonio Montagnani
Skype : amontag52
Linux Fedora 22 (Twenty-two)
inviato da Gmail
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20151028/6e39412f/attachment.html>
-------------- next part --------------
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
54697 50M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
68 12526 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
934 160K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
934 160K INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
934 160K INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
120 4800 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
116 16973 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 154K packets, 170M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
154K 170M OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_FedoraWorkstation all -- p19p1 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_home all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_FedoraWorkstation all -- * p19p1 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_home all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_FedoraWorkstation (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_FedoraWorkstation_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_FedoraWorkstation_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_FedoraWorkstation_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_FedoraWorkstation_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_FedoraWorkstation_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_FedoraWorkstation_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_home (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_home_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_home_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_home_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_home_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_home_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_home_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_FedoraWorkstation (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_FedoraWorkstation_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_FedoraWorkstation_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_FedoraWorkstation_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_FedoraWorkstation_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_FedoraWorkstation_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_FedoraWorkstation_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_home (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_home_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_home_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_home_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_home_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_home_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_home_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
682 120K IN_FedoraWorkstation all -- p19p1 * 0.0.0.0/0 0.0.0.0/0 [goto]
252 40061 IN_home all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_FedoraWorkstation (1 references)
pkts bytes target prot opt in out source destination
682 120K IN_FedoraWorkstation_log all -- * * 0.0.0.0/0 0.0.0.0/0
682 120K IN_FedoraWorkstation_deny all -- * * 0.0.0.0/0 0.0.0.0/0
682 120K IN_FedoraWorkstation_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_FedoraWorkstation_allow (1 references)
pkts bytes target prot opt in out source destination
195 30848 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ctstate NEW
26 2388 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW
34 8106 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW
220 67070 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1025:65535 ctstate NEW
32 1920 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1025:65535 ctstate NEW
Chain IN_FedoraWorkstation_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_FedoraWorkstation_log (1 references)
pkts bytes target prot opt in out source destination
Chain IN_home (1 references)
pkts bytes target prot opt in out source destination
252 40061 IN_home_log all -- * * 0.0.0.0/0 0.0.0.0/0
252 40061 IN_home_deny all -- * * 0.0.0.0/0 0.0.0.0/0
252 40061 IN_home_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_home_allow (1 references)
pkts bytes target prot opt in out source destination
190 27895 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW
Chain IN_home_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_home_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
More information about the users
mailing list