Set output default policy to drop and allow DNS request.

This commit is contained in:
Jeremy Gardais 2017-08-09 10:34:29 +02:00
parent c711ec53eb
commit e018e439bb
2 changed files with 8 additions and 3 deletions

View File

@ -83,9 +83,11 @@ nft_input_host_rules: {}
nft_output_default_rules:
000 policy:
- type filter hook output priority 0; policy accept;
- type filter hook output priority 0; policy drop;
005 global:
- jump global
050 domain:
- udp dport domain ct state new counter accept
nft_output_group_rules: {}
nft_output_host_rules: {}
@ -149,8 +151,9 @@ table inet firewall {
}
chain output {
type filter hook output priority 0; policy accept;
type filter hook output priority 0; policy drop;
jump global
udp dport domain ct state new counter packets 0 bytes 0 accept
}
}
```

View File

@ -39,9 +39,11 @@ nft_input_host_rules: {}
nft_output_default_rules:
000 policy:
- type filter hook output priority 0; policy accept;
- type filter hook output priority 0; policy drop;
005 global:
- jump global
050 domain:
- udp dport domain ct state new counter accept
nft_output_group_rules: {}
nft_output_host_rules: {}