From be967dc920565a3d6768a885c496898a55442b35 Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Fri, 18 Oct 2019 16:13:49 +0200
Subject: [PATCH] Revert "firewall: always allow outgoing DNS traffic to root
 servers"

This reverts commit 70cd5c42f003292bd1ecb9e38018782679dbd01e.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 config/rootfiles/core/137/filelists/files |  3 +++
 src/initscripts/system/firewall           | 12 ------------
 2 files changed, 3 insertions(+), 12 deletions(-)

diff --git a/config/rootfiles/core/137/filelists/files b/config/rootfiles/core/137/filelists/files
index 33f86862f5..3b7c8d23b3 100644
--- a/config/rootfiles/core/137/filelists/files
+++ b/config/rootfiles/core/137/filelists/files
@@ -1,6 +1,8 @@
 etc/system-release
 etc/issue
 srv/web/ipfire/cgi-bin/credits.cgi
+usr/lib/firewall/rules.pl
+usr/sbin/firewall-policy
 var/ipfire/langs
 etc/logrotate.conf
 etc/rc.d/init.d/firewall
@@ -17,3 +19,4 @@ usr/local/bin/xt_geoip_update
 var/ipfire/backup/bin/backup.pl
 var/ipfire/qos/bin/makeqosscripts.pl
 var/ipfire/suricata/ruleset-sources
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 602bd6c5b4..ec396c708c 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -6,7 +6,6 @@
 eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
-ROOTHINTS="/etc/unbound/root.hints"
 IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'`
 
 if [ -f /var/ipfire/red/device ]; then
@@ -308,17 +307,6 @@ iptables_init() {
 	iptables -A INPUT -j TOR_INPUT
 	iptables -N TOR_OUTPUT
 	iptables -A OUTPUT -j TOR_OUTPUT
-
-	# Allow outgoing DNS traffic (TCP and UDP) to DNS root servers
-	local rootserverips="$( awk '/\s+A\s+/ { print $4 }' ${ROOTHINTS} )"
-	ipset -N root-servers iphash
-
-	for ip in "${rootserverips[@]}"; do
-		ipset add root-servers $ip
-	done
-
-	iptables -A OUTPUT -m set --match-set root-servers dst -p tcp --dport 53 -j ACCEPT
-	iptables -A OUTPUT -m set --match-set root-servers dst -p udp --dport 53 -j ACCEPT
 	
 	# Jump into the actual firewall ruleset.
 	iptables -N INPUTFW
-- 
2.39.2