etc/system-release
etc/issue
srv/web/ipfire/cgi-bin/credits.cgi
-usr/lib/firewall/rules.pl
-usr/sbin/firewall-policy
var/ipfire/langs
etc/logrotate.conf
+etc/rc.d/init.d/firewall
srv/web/ipfire/cgi-bin/ovpnmain.cgi
+usr/lib/firewall/rules.pl
+usr/sbin/firewall-policy
eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
+ROOTHINTS="/etc/unbound/root.hints"
IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'`
if [ -f /var/ipfire/red/device ]; then
iptables -A INPUT -j TOR_INPUT
iptables -N TOR_OUTPUT
iptables -A OUTPUT -j TOR_OUTPUT
+
+ # Allow outgoing DNS traffic (TCP and UDP) to DNS root servers
+ local rootserverips="$( awk '/\s+A\s+/ { print $4 }' ${ROOTHINTS} )"
+ ipset -N root-servers iphash
+
+ for ip in "${rootserverips[@]}"; do
+ ipset add root-servers $ip
+ done
+
+ iptables -A OUTPUT -m set --match-set root-servers dst -p tcp --dport 53 -j ACCEPT
+ iptables -A OUTPUT -m set --match-set root-servers dst -p udp --dport 53 -j ACCEPT
# Jump into the actual firewall ruleset.
iptables -N INPUTFW