Named and firewalld

My network is linke this:

InternetLink <> 1.1.1.1 - Fedora32 - 192.168.44.1 <192.168.44.0/24>Physical Windows clients

Fedora32 running firewalld and named. Network config by systemd-networkd

Physical Win10 client

  • 192.168.44.44 (static)
  • GW: 192.168.44.1
  • DNS: 192.168.44.1

Problem: Win10 can access internet by IP, but not by Name .
What should be the correct firewalld zone/command to make it work?

Checking:

  • stop firewalld, DNS query OK, but Internet ping by IP not working (as firewalld is doing IP Masquerade)
  • start firewalld, Internet ping by IP working, but DNS query to DNS 192.168.44.1 timeout

I think that you should allow DNS traffic in the firewall, on the zone of the internal interface.
Something like that:

  • Get the active zones:
    firewall-cmd --get-active-zones
  • Allow DNS quesies on the zone called internal.
    firewall-cmd --zone=internal --add-service=dns
  • Test if dns queries are now working.
  • If it is ok, let’s make the rule permanent upon reboots.
    firewall-cmd --runtime-to-permanent

Do I need to manually add my interfaces to any firewalld zones?

I guess I should add 1.1.1.1 to external and 192.168.44.44 to internal .

It depends how you configured your firewall.
Please provide the result of this command
firewall-cmd --get-active-zones

I don’t know if all steps are neccessary. After step 4, my physical Win10 machine can do DNS query to my Fedora Host and access Internet using the Fedora Host as gateway.

Thank you very much for your hints and directions.

  1. add interface br2 (uplink) to external zone (Win10 can ping 8.8.8.8)
  2. add interface enp1s0 to internal zone
  3. edit /etc/named.conf
  • Add host internal IP to listen-on port 53
  • Add internal subnet to allow-query
  1. add dns service to internal zone
#firewall-cmd --add-service=dns --zone=internal
# firewall-cmd --get-active-zones
external
  interfaces: br2
internal
  interfaces: enp1s0

# firewall-cmd --list-all --zone=external
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: br2
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
# firewall-cmd --list-all --zone=internal
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources: 
  services: dhcpv6-client dns mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.