[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF and DNS requests



Hi Patrick,

patrick ~ wrote on Wed, Dec 29, 2004 at 01:05:25PM -0800:
> --- Mark Nelson <mn_(_at_)_tardis_(_dot_)_cx> wrote:
[...]
>> pass in quick log on $external_if proto udp from any to 217.169.6.226/32
>> port 53 keep state
[...]
>> block in quick log on $external_if from any to any
[...]
>> Any suggestions ?
> 
> Yes! Read the man page for pf.conf:
>      For each packet processed by the packet filter, the filter rules are
>      evaluated in sequential order, from first to last.  The last matching
>      rule decides what action is taken.
> Take note of the last sentence above!

Well, now you are leading Mark astray.  He is using the "quick" option
to reverse the behaviour described in the paragraph you cite.

Still, i agree that the information supplied by Mark is hardly
sufficient to understand his problem.  One would at least need
to know which of his networks uses which IP numbers, which of his
interfaces uses which device node and which nameserver (internet
or internal network?) he is trying to query.  Besides, he should
make sure to cite all the relevant rules, including the options -
for example, is he using the if-bound or the floating state-policy?

Yours, 
  Ingo



Visit your host, monkey.org