Need some assistance on troubleshooting firewallD on CentOS 7, please check my firewallD configuration. I think firewallD is blocking DNS zone transfer of my 2 win server. I upgraded my gateway/firewall to centos and firewallD, previously I was using very old opensuse and susefirewall. The 2 windows servers are connected by Site to Site OpenVPN and DNS zone transfer and domain trust configured, what's happening now every morning I had to reload the DNS zone manually then domain trust will work the whole day then next day morning it will fail as DNS zone transfer is not there, so I had to manually reload it again. Everything was fine before I upgraded my gateway to centos/firewallD. Maybe I miss a config on my firewallD, appreciate anyone's help, I'm having this issue for a couple of days now, thanks.
Here's my firewallD setup:
external (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0 <--- going to WAN
sources:
services: ssh
ports: 1112/udp 1113/udp 1114/tcp <--- openvpn site to site ports
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal (active)
target: default
icmp-block-inversion: no
interfaces: eno1 <---- LAN subnet
sources:
services: dhcpv6-client dns mdns samba-client ssh
ports: 135/tcp 53/udp 53/tcp 135/udp 88/udp 88/tcp 445/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: vpntun1 vpntun2 vpntun3 <<<---- openvpn site to site interfaces
sources:
services: dhcpv6-client dns mdns samba-client ssh
ports: 53/tcp 53/udp 138/tcp 138/udp 391/udp 391/tcp 139/tcp 139/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Did I miss anything on firewallD? Apppreciate your help, thanks..
firewalld and DNS zone transfer
Re: firewalld and DNS zone transfer
The firewalld is "easy to use", except for routers for which is "near impossible to use".
For what I know that config is probably as good as it can get. I would, however, look at the
actual ruleset, which I would peek with:
The -S shows rules in the syntax one would write them.
Alternative options --lin -vnL show line numbers and statistics (while the rule part is IMHO obfuscation).
Wait, you masquerade outgoing traffic of both enp2s0 and eno1. WAN-side is normal, but why masquerade LAN-side?
For what I know that config is probably as good as it can get. I would, however, look at the
actual ruleset, which I would peek with:
Code: Select all
sudo iptables -S
sudo iptables -t nat -S
sudo iptables -t mangle -S
Alternative options --lin -vnL show line numbers and statistics (while the rule part is IMHO obfuscation).
Wait, you masquerade outgoing traffic of both enp2s0 and eno1. WAN-side is normal, but why masquerade LAN-side?