Set output default policy to drop and allow DNS request.
This commit is contained in:
parent
c711ec53eb
commit
e018e439bb
|
@ -83,9 +83,11 @@ nft_input_host_rules: {}
|
||||||
|
|
||||||
nft_output_default_rules:
|
nft_output_default_rules:
|
||||||
000 policy:
|
000 policy:
|
||||||
- type filter hook output priority 0; policy accept;
|
- type filter hook output priority 0; policy drop;
|
||||||
005 global:
|
005 global:
|
||||||
- jump global
|
- jump global
|
||||||
|
050 domain:
|
||||||
|
- udp dport domain ct state new counter accept
|
||||||
nft_output_group_rules: {}
|
nft_output_group_rules: {}
|
||||||
nft_output_host_rules: {}
|
nft_output_host_rules: {}
|
||||||
|
|
||||||
|
@ -149,8 +151,9 @@ table inet firewall {
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority 0; policy accept;
|
type filter hook output priority 0; policy drop;
|
||||||
jump global
|
jump global
|
||||||
|
udp dport domain ct state new counter packets 0 bytes 0 accept
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
|
@ -39,9 +39,11 @@ nft_input_host_rules: {}
|
||||||
|
|
||||||
nft_output_default_rules:
|
nft_output_default_rules:
|
||||||
000 policy:
|
000 policy:
|
||||||
- type filter hook output priority 0; policy accept;
|
- type filter hook output priority 0; policy drop;
|
||||||
005 global:
|
005 global:
|
||||||
- jump global
|
- jump global
|
||||||
|
050 domain:
|
||||||
|
- udp dport domain ct state new counter accept
|
||||||
nft_output_group_rules: {}
|
nft_output_group_rules: {}
|
||||||
nft_output_host_rules: {}
|
nft_output_host_rules: {}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue