From owner-freebsd-pf@FreeBSD.ORG Wed May 7 20:34:44 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 585AC106566C for ; Wed, 7 May 2008 20:34:44 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183]) by mx1.freebsd.org (Postfix) with ESMTP id 110CA8FC0A for ; Wed, 7 May 2008 20:34:43 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so610649pyb.10 for ; Wed, 07 May 2008 13:34:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; bh=eePnm1xF4yZ6lkcCrFG6tqNq2aLoctVy2izrOqOvx40=; b=UFDmG0vNHFqjkKBfaLiDrY//1hNInJOCOFjk6GNdylTSYU3/2fccH6FfBi6oGNpxXU64d/vBkWhuJ7h5Q1Rhw4Y/Fumg9Rhhi8DGUktARBixenmQCXYS0EyUcUlb8poPrYmq8Zfq4DegGwuUhlaTmUphaNs7SQoaR84EYcWwrFw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; b=YxNJfytHAjuueAtYZGwEITa/kw9eca4Xri4EBnFr/457IbLXO6EjHXultRvq6W6Y26/tbIBUQCUDAZd5PSj0Jp6oB3bqlbuWl/YIegoHYRRNt8JZF6KhwWENPCh3deJxdIrPoAEIp+BPBswA06h7spw7SYMcbLSAjz6WBo4q3rg= Received: by 10.64.193.2 with SMTP id q2mr5028190qbf.51.1210192483068; Wed, 07 May 2008 13:34:43 -0700 (PDT) Received: from ansarmm2 ( [206.248.190.95]) by mx.google.com with ESMTPS id a5sm2045846qbd.25.2008.05.07.13.34.41 (version=SSLv3 cipher=RC4-MD5); Wed, 07 May 2008 13:34:42 -0700 (PDT) From: "Ansar Mohammed" To: "'Kevin K'" , References: <004f01c8b068$89c89350$9d59b9f0$@com> <005101c8b06b$5f0743c0$1d15cb40$@com> In-Reply-To: <005101c8b06b$5f0743c0$1d15cb40$@com> Date: Wed, 7 May 2008 16:34:40 -0400 Message-ID: <008b01c8b081$c74692e0$55d3b8a0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AciwaIi9DeA70Ec8S9CJzUU+Q2PZ2QAAscEQAAWS9QA= Content-Language: en-ca Cc: Subject: RE: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 20:34:44 -0000 Ok, so adding the line as you suggested worked. Thanks Kevin. But why do I need to have both entries in for pass in proto udp from any to any port 53 pass out proto udp from any to any port 53 what makes UDP so special? > -----Original Message----- > From: Kevin K [mailto:kkutzko@teksavvy.com] > Sent: May 7, 2008 1:54 PM > To: 'Ansar Mohammed'; freebsd-pf@freebsd.org > Subject: RE: UDP weirdness > > Try pass out proto udp from any to any port 53 > > > -----Original Message----- > > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > > pf@freebsd.org] On Behalf Of Ansar Mohammed > > Sent: Wednesday, May 07, 2008 1:34 PM > > To: freebsd-pf@freebsd.org > > Subject: UDP weirdness > > > > I have a very simple configuration yet I am bemused as to what I am > > doing > > wrong. > > > > > > Windows 2003 <- FreeBSD-PF -> Windows 2003 > > 192.168.3.2 192.168.3.1 192.168.2.2 192.168.2.130 > > Here are my rules > > > > > > ext_if="le0" > > int_if="le1" > > int_net="192.168.3.0/24" > > ext_net="192.168.2.0/24" > > int_addr="192.168.3.1" > > ext_addr="192.168.2.2" > > scrub on $ext_if all reassemble tcp > > scrub on $int_if all reassemble tcp > > block in log all > > pass in proto icmp from any to any > > pass in proto udp from any to any port 53 > > pass in on $ext_if inet proto tcp from any to any port 3389 > > > > > > DNS traffic is allowed though but the return packet gets blocked. Can > > anyone > > explain why? > > This is true on ALL UDP traffic TCP traffic works well > > > > Pflog message: > > > > 065276 rule 0/0(match): block in on le1: 192.168.3.2.53 > > > 192.168.2.130.3837: [|domain] > > > > > > > > > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"