From owner-freebsd-pf@FreeBSD.ORG Sun Oct 8 23:30:25 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41D2A16A412 for ; Sun, 8 Oct 2006 23:30:25 +0000 (UTC) (envelope-from jfranks@inetassociation.com) Received: from ylpvm43.prodigy.net (ylpvm43-ext.prodigy.net [207.115.57.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 107AF43D45 for ; Sun, 8 Oct 2006 23:30:23 +0000 (GMT) (envelope-from jfranks@inetassociation.com) X-ORBL: [69.236.95.154] Received: from iea4grrtmmd560 (adsl-69-236-95-154.dsl.pltn13.pacbell.net [69.236.95.154]) by ylpvm43.prodigy.net (8.13.8 out.dk.spool/8.13.8) with ESMTP id k98NUKdZ023779 for ; Sun, 8 Oct 2006 19:30:20 -0400 From: "Justin Franks" To: Date: Sun, 8 Oct 2006 16:30:23 -0700 Message-ID: <000001c6eb31$bab05140$6401a8c0@iea4grrtmmd560> MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Need a little PF help here, please... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Oct 2006 23:30:25 -0000 Have been using PF for over two years and recently ran into "problem" which I am sure is something I am overlooking. So I need some direction. Here it is: I recently enabled BIND9 on FreeBSD 6.1. I have PF running too (PF config below). If I ping yahoo.com nothing happens. However, if I comment out the PF rule "block in all" then suddenly I can ping yahoo.com. Why will my server not resolve names (like yahoo.com) if the "block in all" statement exists? Why does that statement mess it up? What am I missing? Please help because I am totally frustrated. Here is my pf.conf file. table persist file "/etc/pf-files/misc" table persist file "/etc/pf-files/spam" table persist file "/etc/pf-files/ssh" table persist file "/etc/pf-files/gov" table persist file "/etc/pf-files/dod" table persist file "/etc/pf-files/fbi" table persist file "/etc/pf-files/cia" table persist file "/etc/pf-files/china" table persist file "/etc/pf-files/hongkong" table persist file "/etc/pf-files/taiwan" table persist file "/etc/pf-files/vietnam" table persist file "/etc/pf-files/argentina" scrub in all block in all antispoof for rl0 inet pass in quick on rl0 proto tcp from any to rl0 port www pass in quick on rl0 proto udp from any to rl0 port www block in quick on rl0 proto tcp from to rl0 port 25 block in quick on rl0 proto tcp from to rl0 port 25 block in quick on rl0 from to any block in quick on rl0 from to any block in quick on rl0 from to any block in quick on rl0 from to any block in quick on rl0 proto tcp from to rl0 port 25 block in quick on rl0 proto tcp from to rl0 port 25 block in quick on rl0 proto tcp from to rl0 port 25 block in quick on rl0 proto tcp from to rl0 port 25 block in quick on rl0 proto tcp from to rl0 port 25 pass in on rl0 proto tcp from any to rl0 port 25 pass in on rl0 proto tcp from any to rl0 port 110 pass in on rl0 proto tcp from to rl0 port 22 pass in on rl0 inet proto icmp all icmp-type echoreq pass out keep state ------------------- Justin