Hi,

I’m really struggeling to understand the reason why, but my unbound is always starting unhealthy when I activate the Hetzner Firewall on my setup.

I had to enable INCOMING icmp to my docker host so the ping checks work.
Now it still looks like the server cannot resolve DNS, even though all outbound connections/traffic are allowed. (as well es the famous return ports with TCP ack)

If I run dig +short +timeout=2 +tries=1 email.mailcow @127.0.0.1
I get ;; communications error to 127.0.0.1#53: timed out

If I disable the Hetzner Firewall (which I only like to do for a short time…) it seems to work.

Any idea on what INCOMING?? Port config I might be missing?

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

Thanks for the info, seems this one got lost during a recent fireall update on our side.

Here is screenshot of the rules that have to be set on the “old school” server firewall, not cloud one. Maybe this might be worth an addition to the docs as I did spend a couple of tries to figure this out (* did not work for protocol)

Here

Now, the lost connection in the firewall did have some bad side effects. Obviously all incoming mail of the last days since the change did get dropped because postfix could not resolve the sender host (including gmail.com etc…)
I assume there is no way to get them back, even from the daily backups, right?

Better Screenshot

Better Screenshot

Chiming in here… I am also with Hetzner, I am using a Hetzner firewall, and I do not experience any of those problems. Container is healthy, logs are happy, I’m trying to understand what I am missing?

Here are firewall definitions:

Regards,
-Patrick

Hint: Hetzner Cloud Firewall is a statefull firewall. The firewall for dedicated servers is a stateless firewall.

    IdrisK Right, I haven’t used dedicated servers so I didn’t know that. Thanks for the hint.

      No one is typing