[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PF and DNS requests
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: PF and DNS requests
- From: Jason Opperisano <opie_(_at_)_817west_(_dot_)_com>
- Date: Wed, 29 Dec 2004 15:58:40 -0500
On Wed, 2004-12-29 at 14:38, Mark Nelson wrote:
> I've just rebuilt my firewall using OpenBSD 3.5, (previously it was
> running on NetBSD). I'm now having problems resolving DNS requests from
> my DMZ. I have the following rules in pf.conf -
> pass in quick log on $external_if proto udp from any to 220.127.116.11/32
> port 53 keep state
> pass in quick on $dmz_if proto udp from any to 18.104.22.168 port 53
> keep state
> block in quick log on $external_if from any to any
> According to tcpdump, I get the following -
> Dec 29 19:34:09.116338 rule 4/0(match): pass in on xl2:
> 22.214.171.124.35915 > 126.96.36.199.53: 36873% [1au][|domain]
> Dec 2919:34:09.179994 rule 58/0(match): block in on xl0:
> 188.8.131.52.53 > 184.108.40.206.35915: 36873*[|domain] (DF)
> When I remove the block line everything works.
> It look like to me (I could be wrong) is that the firewall is not
> keeping state.
> Any suggestions ?
it's hard to tell from the info you provide what is what. if you are
trying to allow DNS name resolution requests from machines in your DMZ
to a DNS server on the internet:
pass in quick on $dmz_if inet proto udp from $dmz_if:network \
to $dns_server port = 53 keep state
pass out quick on $external_if inet proto udp \
from $dmz:network to $dns_server port = 53 keep state
would be the way i'd do it.
"I've added an extra ingredient just for you. The merciless peppers
of Quetzlzacatenango! Grown deep in the jungle primeval by the
inmates of a Guatemalan insane asylum."