firewalld and DNS zone transfer

Support for security such as Firewalls and securing linux
Post Reply
jjdc3
Posts: 1
Joined: 2020/11/29 04:50:01

firewalld and DNS zone transfer

Post by jjdc3 » 2020/11/29 05:27:12

Need some assistance on troubleshooting firewallD on CentOS 7, please check my firewallD configuration. I think firewallD is blocking DNS zone transfer of my 2 win server. I upgraded my gateway/firewall to centos and firewallD, previously I was using very old opensuse and susefirewall. The 2 windows servers are connected by Site to Site OpenVPN and DNS zone transfer and domain trust configured, what's happening now every morning I had to reload the DNS zone manually then domain trust will work the whole day then next day morning it will fail as DNS zone transfer is not there, so I had to manually reload it again. Everything was fine before I upgraded my gateway to centos/firewallD. Maybe I miss a config on my firewallD, appreciate anyone's help, I'm having this issue for a couple of days now, thanks.
Here's my firewallD setup:

external (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0 <--- going to WAN
sources:
services: ssh
ports: 1112/udp 1113/udp 1114/tcp <--- openvpn site to site ports
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:


internal (active)
target: default
icmp-block-inversion: no
interfaces: eno1 <---- LAN subnet
sources:
services: dhcpv6-client dns mdns samba-client ssh
ports: 135/tcp 53/udp 53/tcp 135/udp 88/udp 88/tcp 445/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: vpntun1 vpntun2 vpntun3 <<<---- openvpn site to site interfaces
sources:
services: dhcpv6-client dns mdns samba-client ssh
ports: 53/tcp 53/udp 138/tcp 138/udp 391/udp 391/tcp 139/tcp 139/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Did I miss anything on firewallD? Apppreciate your help, thanks..

User avatar
jlehtone
Posts: 3344
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewalld and DNS zone transfer

Post by jlehtone » 2020/11/30 13:20:14

The firewalld is "easy to use", except for routers for which is "near impossible to use".

For what I know that config is probably as good as it can get. I would, however, look at the
actual ruleset, which I would peek with:

Code: Select all

sudo iptables -S
sudo iptables -t nat -S
sudo iptables -t mangle -S
The -S shows rules in the syntax one would write them.
Alternative options --lin -vnL show line numbers and statistics (while the rule part is IMHO obfuscation).


Wait, you masquerade outgoing traffic of both enp2s0 and eno1. WAN-side is normal, but why masquerade LAN-side?

Post Reply

Return to “CentOS 7 - Security Support”