This part:
You are accepting all DNS requests, either from LAN or WAN.
Next, you are mixing input and forward chain. In itself not a problem, readability is low.
And at last (I'm not a firewall expert) you are creating all kinds of address lists. What is the main purpose of working like that? Listen to a port, add the source to an address list and then block entries on that address list.
My opinion, stick to the defaults unless you have a very good reason.
Code:
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udpadd action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcpNext, you are mixing input and forward chain. In itself not a problem, readability is low.
And at last (I'm not a firewall expert) you are creating all kinds of address lists. What is the main purpose of working like that? Listen to a port, add the source to an address list and then block entries on that address list.
My opinion, stick to the defaults unless you have a very good reason.
Statistics: Posted by erlinden — Sat Mar 29, 2025 11:22 am