Greetings, I've followed instructions in this BIND Knowledge base article and installed ip6tables on my DNS server, using raw table with no conntrack for DNS: https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html
But for IPv6 it drops fragmented packets, for example this query fails once the ip6table is on: dig +dnssec isc.org any @2001:500:60::30 Everything works great for IPv4 with similar rules, can someone help shed some light on what might be wrong: # Firewall configuration written by system-config-firewall *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -p udp -m udp --dport 53 -j NOTRACK -A PREROUTING -p udp -m udp --sport 53 -j NOTRACK -A OUTPUT -p udp -m udp --dport 53 -j NOTRACK -A OUTPUT -p udp -m udp --sport 53 -j NOTRACK COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -i lo -j ACCEPT #tcp dns -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 53 -j ACCEPT -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --sport 53 -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT Thanks in advance!! Larry
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
