From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 1 Dec 2013 09:49:17 +0000 (+0100)
Subject: Attempt not to track DNS traffic
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=823568d2e4cad6f5b1a1a2fad73316f516601f62;p=mirror%2Fdsa-puppet.git

Attempt not to track DNS traffic
---

diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
index 8ba8e6a2c..240133806 100644
--- a/modules/ferm/manifests/per-host.pp
+++ b/modules/ferm/manifests/per-host.pp
@@ -169,6 +169,37 @@ class ferm::per-host {
 			@ferm::rule { 'dsa-conntrackd':
 				rule            => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
 			}
+			@ferm::rule { 'dsa-bind-notrack-in':
+				domain      => 'ip',
+				description => 'NOTRACK for nameserver traffic',
+				table       => 'raw',
+				chain       => 'PREROUTING',
+				rule        => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
+			}
+
+			@ferm::rule { 'dsa-bind-notrack-out':
+				domain      => 'ip',
+				description => 'NOTRACK for nameserver traffic',
+				table       => 'raw',
+				chain       => 'OUTPUT',
+				rule        => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
+			}
+
+			@ferm::rule { 'dsa-bind-notrack-in6':
+				domain      => 'ip6',
+				description => 'NOTRACK for nameserver traffic',
+				table       => 'raw',
+				chain       => 'PREROUTING',
+				rule        => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
+			}
+
+			@ferm::rule { 'dsa-bind-notrack-out6':
+				domain      => 'ip6',
+				description => 'NOTRACK for nameserver traffic',
+				table       => 'raw',
+				chain       => 'OUTPUT',
+				rule        => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
+			}
 		}
 		default: {}
 	}