Add some comments for DNS rules.

2017-06-02 11:34:43 +02:00 · 2017-06-02 11:34:43 +02:00 · b5f8bc672b
commit b5f8bc672b
parent 60dd071fc9
3 changed files with 28 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
+.*.swp
 ip6t-firewall-server.conf
 ipt-firewall-server.conf
 BAK/*
--- a/15
+++ b/15
@ -608,18 +608,29 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
   if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${dns_server_ips[@]} ; do
         # dns requests
+         #
+         # Note:
+         #    If the total size of the DNS record is larger than 512 bytes, 
+         #    it will be sent over TCP, not UDP.
+         #
         $ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
-         # Zonetransfer
         $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
+         # Zonetransfer
         $ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
      done
   fi
      
   if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
      for _ip in ${forward_dns_server_ip_arr[@]} ; do
+         # dns requests
+         #
+         # Note:
+         #    If the total size of the DNS record is larger than 512 bytes, 
+         #    it will be sent over TCP, not UDP.
+         #
         $ip6t -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
-         # Zonetransfer
         $ip6t -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
+         # Zonetransfer
         $ip6t -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
      done
   fi
--- a/15
+++ b/15
@ -798,18 +798,29 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
   if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
      for _ip in ${dns_server_ips[@]} ; do
         # dns requests 
+         #
+         # Note:
+         #    If the total size of the DNS record is larger than 512 bytes, 
+         #    it will be sent over TCP, not UDP.
+         #
         $ipt -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
-         # Zonetransfer
         $ipt -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
+         # Zonetransfer
         $ipt -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
      done
   fi
      
   if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
      for _ip in ${forward_dns_server_ip_arr[@]} ; do
+         # dns requests 
+         #
+         # Note:
+         #    If the total size of the DNS record is larger than 512 bytes, 
+         #    it will be sent over TCP, not UDP.
+         #
         $ipt -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
-         # Zonetransfer
         $ipt -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
+         # Zonetransfer
         $ipt -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
      done
   fi