[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PF and DNS requests


I've just rebuilt my firewall using OpenBSD 3.5, (previously it was
running on NetBSD).  I'm now having problems resolving DNS requests from
my DMZ.  I have the following rules in pf.conf - 
pass in quick log on $external_if proto udp from any to
port 53 keep state

pass in quick on $dmz_if proto udp from any to port   53
keep state 

block in quick log on $external_if from any to any

According to tcpdump, I get the following - 

Dec 29 19:34:09.116338 rule 4/0(match): pass in on xl2: >  36873% [1au][|domain]
Dec 2919:34:09.179994 rule 58/0(match): block in on xl0: >  36873*[|domain] (DF)

When I remove the block line everything works.

It look like to me (I could be wrong) is that the firewall is not
keeping state.

Any suggestions ?


Mark Nelson - mn_(_at_)_tardis_(_dot_)_cx
This mail is for the addressee only

[demime 1.01d removed an attachment of type application/pgp-signature]