X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=transmission-firewall%2Fnetns.rules;fp=transmission-firewall%2Fnetns.rules;h=3340ecf2f8a3cd4e960e7fd57cc98811276e74f4;hb=8de1e14e35d0ad62620a59f6e2ca4ba19ddcda3c;hp=3544f5bea8c850378036ac6bc8326cc38f609770;hpb=ee27d59f1eea7a83b1764ec41bfb3015bb463a26;p=distro-setup

diff --git a/transmission-firewall/netns.rules b/transmission-firewall/netns.rules
index 3544f5b..3340ecf 100644
--- a/transmission-firewall/netns.rules
+++ b/transmission-firewall/netns.rules
@@ -21,24 +21,22 @@
 #-A FORWARD -i brvpn -j REJECT
 # but I'm thinking firewall from inside is simpler.
 
-# prevent dns leaks, openvpn runs as root, allow root to
-# make non-vpn dns calls, but not transmission which does not run as root.
-# openvpn needs this in order to lookup the ip of the vpn server
-# before it's connected to it. We could hardcode the vpn ips in the
-# config, but our vpn service provider gave us dns, so the ip might change.
--A OUTPUT -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT
+# prevent dns leaks. note: if we needed openvpn to do initial dns, we could
+# add -m owner --uid-owner root to the output rules, but we just connect to
+# ip addresses.
+-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
 -A INPUT -p udp -m udp --sport 53 -j ACCEPT
 
--A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
 -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
 
 # transmission-remote
 -A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
 
-# 1302 is used by mullvad
--A OUTPUT -p udp -m udp --dport 1302 -j ACCEPT
--A INPUT -p udp -m udp --sport 1302 -j ACCEPT
+# 1196 is used by mullvad
+-A OUTPUT -p udp -m udp --dport 1196 -j ACCEPT
+-A INPUT -p udp -m udp --sport 1196 -j ACCEPT
 
 -A OUTPUT -o tun0 -j ACCEPT
 -A INPUT -i tun0 -j ACCEPT