Revert "firewall: always allow outgoing DNS traffic to root servers"

[ipfire-2.x.git] / src / initscripts / system / firewall

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 602bd6c5b4ae8df8a68350fe6c1e79955db0189e..ec396c708c8e6b03396b0033ce2649fb61dec09b 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -6,7 +6,6 @@
 eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
-ROOTHINTS="/etc/unbound/root.hints"
 IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'`
 
 if [ -f /var/ipfire/red/device ]; then
@@ -308,17 +307,6 @@ iptables_init() {
        iptables -A INPUT -j TOR_INPUT
        iptables -N TOR_OUTPUT
        iptables -A OUTPUT -j TOR_OUTPUT
-
-       # Allow outgoing DNS traffic (TCP and UDP) to DNS root servers
-       local rootserverips="$( awk '/\s+A\s+/ { print $4 }' ${ROOTHINTS} )"
-       ipset -N root-servers iphash
-
-       for ip in "${rootserverips[@]}"; do
-               ipset add root-servers $ip
-       done
-
-       iptables -A OUTPUT -m set --match-set root-servers dst -p tcp --dport 53 -j ACCEPT
-       iptables -A OUTPUT -m set --match-set root-servers dst -p udp --dport 53 -j ACCEPT
        
        # Jump into the actual firewall ruleset.
        iptables -N INPUTFW