Revert "firewall: always allow outgoing DNS traffic to root servers"

This reverts commit 70cd5c42f0.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

config/rootfiles/core/137/filelists/files

@@ -1,6 +1,8 @@
 etc/system-release
 etc/issue
 srv/web/ipfire/cgi-bin/credits.cgi
+usr/lib/firewall/rules.pl
+usr/sbin/firewall-policy
 var/ipfire/langs
 etc/logrotate.conf
 etc/rc.d/init.d/firewall
@@ -17,3 +19,4 @@ usr/local/bin/xt_geoip_update
 var/ipfire/backup/bin/backup.pl
 var/ipfire/qos/bin/makeqosscripts.pl
 var/ipfire/suricata/ruleset-sources
+srv/web/ipfire/cgi-bin/ovpnmain.cgi

src/initscripts/system/firewall

@@ -6,7 +6,6 @@
 eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
-ROOTHINTS="/etc/unbound/root.hints"
 IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'`
 
 if [ -f /var/ipfire/red/device ]; then
@@ -309,17 +308,6 @@ iptables_init() {
 	iptables -N TOR_OUTPUT
 	iptables -A OUTPUT -j TOR_OUTPUT
 	
-	# Allow outgoing DNS traffic (TCP and UDP) to DNS root servers
-	local rootserverips="$( awk '/\s+A\s+/ { print $4 }' ${ROOTHINTS} )"
-	ipset -N root-servers iphash
-
-	for ip in "${rootserverips[@]}"; do
-		ipset add root-servers $ip
-	done
-
-	iptables -A OUTPUT -m set --match-set root-servers dst -p tcp --dport 53 -j ACCEPT
-	iptables -A OUTPUT -m set --match-set root-servers dst -p udp --dport 53 -j ACCEPT
-	
 	# Jump into the actual firewall ruleset.
 	iptables -N INPUTFW
 	iptables -A INPUT -j INPUTFW