3

While FirewallD is running, all DNS queries fail and are blocked by the firewall. Running tcpdump -i docker0 while running ping google.com in a container shows me

21:27:02.683342 IP 172.17.0.2.35118 > google-public-dns-a.google.com.domain: 54430+ AAAA? google.com. (28)
21:27:02.683399 IP 172.17.0.1 > 172.17.0.2: ICMP host google-public-dns-a.google.com unreachable - admin prohibited filter, length 64

Pinging 8.8.8.8 for instance, or any other absolute IP, works fine.

If I explicitly add docker0 or 172.17.0.0/16 to the trusted zone, the requests go through. However, another one of my machines on the same distribution (openSUSE Tumbleweed) works fine.

I've torn through my FirewallD config, and there is no mention of either that subnet or the docker0 interface. I'm really not sure what's going on nor where to look. You can find my active FirewallD rules below.

sudo firewall-cmd --get-active-zones
public

sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp4s0
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
Giacomo1968
  • 53,069
  • 19
  • 162
  • 212
ollien
  • 83
  • 8
  • Have you looked at [this](https://opsech.io/posts/2017/May/23/docker-dns-with-firewalld-on-fedora.html) or [this](https://unix.stackexchange.com/questions/199966/how-to-configure-centos-7-firewalld-to-allow-docker-containers-free-access-to-th)? – Giacomo1968 Sep 01 '18 at 01:53
  • Yes. Those both suggest adding the interface to trusted, which I said will work in the OP, but I'm trying to figure out the root cause rather than just adding it as a trusted interface. My other machine works without that, so I'm certainly perplexed. – ollien Sep 01 '18 at 14:25
  • You should then compare configuration between the two machines. You wrote here the active zone ("Active zones are zones, that have a binding to an interface or source"), that doesn't mean there aren't other rules in other zones acting on port 53, or interaction with docker's iptables added rules – A.B Sep 27 '18 at 03:32
  • I've compared them as much as I can, but I can't seem to find anything. Is there anywhere specific that might be helpful? I've searched high and low to no avail. – ollien Sep 27 '18 at 03:33
  • you can still dump the "low level" iptables results with `iptables-save -c` on both and manually try to find differences. But both firewalld and Docker probably add a lot of chains and rules (probably with bridges having a different embedded id in their name), making this difficult. I don't think of an easier method (which might still be waiting to be found) – A.B Sep 27 '18 at 03:37

0 Answers0