sampsonf
(Sampson Fung)
December 9, 2019, 4:23am
1
My network is linke this:
InternetLink <> 1.1.1.1 - Fedora32 - 192.168.44.1 <192.168.44.0/24>Physical Windows clients
Fedora32 running firewalld and named. Network config by systemd-networkd
Physical Win10 client
192.168.44.44 (static)
GW: 192.168.44.1
DNS: 192.168.44.1
Problem: Win10 can access internet by IP, but not by Name .
What should be the correct firewalld zone/command to make it work?
Checking:
stop firewalld, DNS query OK, but Internet ping by IP not working (as firewalld is doing IP Masquerade)
start firewalld, Internet ping by IP working, but DNS query to DNS 192.168.44.1 timeout
alciregi
(Alessio)
December 9, 2019, 9:20am
2
I think that you should allow DNS traffic in the firewall, on the zone of the internal interface.
Something like that:
Get the active zones:
firewall-cmd --get-active-zones
Allow DNS quesies on the zone called internal .
firewall-cmd --zone=internal --add-service=dns
Test if dns queries are now working.
If it is ok, let’s make the rule permanent upon reboots.
firewall-cmd --runtime-to-permanent
sampsonf
(Sampson Fung)
December 9, 2019, 1:36pm
3
Do I need to manually add my interfaces to any firewalld zones?
I guess I should add 1.1.1.1 to external and 192.168.44.44 to internal .
alciregi
(Alessio)
December 9, 2019, 2:13pm
4
It depends how you configured your firewall.
Please provide the result of this command
firewall-cmd --get-active-zones
sampsonf
(Sampson Fung)
December 9, 2019, 4:14pm
5
I don’t know if all steps are neccessary. After step 4, my physical Win10 machine can do DNS query to my Fedora Host and access Internet using the Fedora Host as gateway.
Thank you very much for your hints and directions.
add interface br2 (uplink) to external zone (Win10 can ping 8.8.8.8)
add interface enp1s0 to internal zone
edit /etc/named.conf
Add host internal IP to listen-on port 53
Add internal subnet to allow-query
add dns service to internal zone
#firewall-cmd --add-service=dns --zone=internal
# firewall-cmd --get-active-zones
external
interfaces: br2
internal
interfaces: enp1s0
# firewall-cmd --list-all --zone=external
external (active)
target: default
icmp-block-inversion: no
interfaces: br2
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# firewall-cmd --list-all --zone=internal
internal (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: dhcpv6-client dns mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
1 Like
system
(system)
Closed
January 6, 2020, 4:14pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.