Thanks!
On 1/4/22 00:15, Andrei Borzenkov wrote:
> On Tue, Jan 4, 2022 at 1:07 AM Snow Summer <summersnow9403(a)gmail.com> wrote:
>> Hi Eric,
>>
>> Thank you so much! The commands work after rebooting. However, I still cannot
figure out why simply using:
>>
>> firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source
address="4.2.2.1" reject'
>>
>> would not block all incoming DNS responses from 4.2.2.1. I think that by either
filtering the incoming packets by IP of source, or outgoing packets by the IP of
destination (using the outbound filtering you have mentioned), my computer cannot query
4.2.2.1 for DNS responses. Is that right?
>>
> DNS response is a related packet to DNS request. Related packets are
> allowed and this rule is one of the first, so response is accepted
> before your reject rule can be evaluated.