Re: PF and DNS requests

[Jason Opperisano <opie_(_at_)_817west_(_dot_)_com>]

On Wed, 2004-12-29 at 14:38, Mark Nelson wrote:
> Hello 
> 
> I've just rebuilt my firewall using OpenBSD 3.5, (previously it was
> running on NetBSD).  I'm now having problems resolving DNS requests from
> my DMZ.  I have the following rules in pf.conf - 
>  
> pass in quick log on $external_if proto udp from any to 217.169.6.226/32
> port 53 keep state
> 
> pass in quick on $dmz_if proto udp from any to 217.169.6.226 port   53
> keep state 
> 
> block in quick log on $external_if from any to any
> 
> 
> According to tcpdump, I get the following - 
> 
> Dec 29 19:34:09.116338 rule 4/0(match): pass in on xl2:
> 217.169.6.226.35915 > 193.174.75.146.53:  36873% [1au][|domain]
> Dec 2919:34:09.179994 rule 58/0(match): block in on xl0:
> 193.174.75.146.53 > 217.169.6.226.35915:  36873*[|domain] (DF)
> 
> 
> When I remove the block line everything works.
> 
> 
> It look like to me (I could be wrong) is that the firewall is not
> keeping state.
> 
> Any suggestions ?

it's hard to tell from the info you provide what is what.  if you are
trying to allow DNS name resolution requests from machines in your DMZ
to a DNS server on the internet:

  pass in quick on $dmz_if inet proto udp from $dmz_if:network \
    to $dns_server port = 53 keep state

  pass out quick on $external_if inet proto udp \
    from $dmz:network to $dns_server port = 53 keep state

would be the way i'd do it.

-j

--
"I've added an extra ingredient just for you.  The merciless peppers
 of Quetzlzacatenango!  Grown deep in the jungle primeval by the
 inmates of a Guatemalan insane asylum."
	--The Simpsons