From owner-freebsd-pf@FreeBSD.ORG Wed May 7 17:34:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D33E1106567C for ; Wed, 7 May 2008 17:34:03 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.177]) by mx1.freebsd.org (Postfix) with ESMTP id 8F0098FC19 for ; Wed, 7 May 2008 17:34:03 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so532667pyb.10 for ; Wed, 07 May 2008 10:34:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; bh=FlM/p9/InZmTNVRiKB+YhCHIXIY0HJF+d5EduwwqMIw=; b=C983eWavq2gxkm9/3D5Q7+woenNEJyLxdceUwGIBl05shmEGxqswiAD9qXfLg6GkTQso1C38dV3YPwI3jqwRHiq2O07kl6x9DdmABJ9pm7DxMTOfoDCVBeHWOwrzgpEuHumnwjBsSLLROe0V/LvSI4iwXJMiHIPez673vG0cg2o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; b=QHfmVAY6XMbb77RyJX2KCs2cKMVcuWGhJ1subRLfFBvuI4zGpZGz3/9lRlR6UmJxPsTsOos5Tzs4otKGS5xosNFoBVU4YVs0NPZNgo+PXJ2WQG7VvnbzxXYJcev6BANHSsDAW5WngFdB1uLdVmOgqtIgn5jCXwm45+Jka2Xi8pI= Received: by 10.65.84.3 with SMTP id m3mr4649557qbl.94.1210181642480; Wed, 07 May 2008 10:34:02 -0700 (PDT) Received: from ansarmm2 ( [206.248.190.95]) by mx.google.com with ESMTPS id c5sm1979982qbc.10.2008.05.07.10.34.01 (version=SSLv3 cipher=RC4-MD5); Wed, 07 May 2008 10:34:01 -0700 (PDT) From: "Ansar Mohammed" To: Date: Wed, 7 May 2008 13:34:00 -0400 Message-ID: <004f01c8b068$89c89350$9d59b9f0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AciwaIi9DeA70Ec8S9CJzUU+Q2PZ2Q== Content-Language: en-ca Subject: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 17:34:03 -0000 I have a very simple configuration yet I am bemused as to what I am doing wrong. Windows 2003 <- FreeBSD-PF -> Windows 2003 192.168.3.2 192.168.3.1 192.168.2.2 192.168.2.130 Here are my rules ext_if="le0" int_if="le1" int_net="192.168.3.0/24" ext_net="192.168.2.0/24" int_addr="192.168.3.1" ext_addr="192.168.2.2" scrub on $ext_if all reassemble tcp scrub on $int_if all reassemble tcp block in log all pass in proto icmp from any to any pass in proto udp from any to any port 53 pass in on $ext_if inet proto tcp from any to any port 3389 DNS traffic is allowed though but the return packet gets blocked. Can anyone explain why? This is true on ALL UDP traffic TCP traffic works well Pflog message: 065276 rule 0/0(match): block in on le1: 192.168.3.2.53 > 192.168.2.130.3837: [|domain]