From owner-freebsd-pf@FreeBSD.ORG Sun Mar 6 20:42:09 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B714F16A4CE for ; Sun, 6 Mar 2005 20:42:09 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 34AD843D1D for ; Sun, 6 Mar 2005 20:42:09 +0000 (GMT) (envelope-from jarthel@gmail.com) Received: by rproxy.gmail.com with SMTP id a41so940651rng for ; Sun, 06 Mar 2005 12:42:08 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=OpAHS6x04OpRAPS4nKeMzRVEuHxkuSEG8HH1VDOahmB4GxjYEqJvGWuCyUc/sKHDriQ21w/jZUmbjTryqKoSfGb6xZ7q022+CHEbHhwkULELQ+7K62ezRK6g9OLDkHz259vSVjwSUpeq0ru40DkjiZyqNCLUrJR9sJCJ7B8/EXY= Received: by 10.38.22.11 with SMTP id 11mr113632rnv; Sun, 06 Mar 2005 12:42:08 -0800 (PST) Received: by 10.38.151.8 with HTTP; Sun, 6 Mar 2005 12:42:08 -0800 (PST) Message-ID: Date: Mon, 7 Mar 2005 07:42:08 +1100 From: Jayel Villamin To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: PC dns request is getting blocked X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jayel Villamin List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Mar 2005 20:42:09 -0000 pf.conf contents ===================== ###### #macros #interfaces ext_if = "tun0" egwene_if = "xl1" elayne_if = "xl2" loopback_if = "lo0" #private networks private_net = "{ 192.168.0.0/16, 172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 }" #network services icmp_types = "echoreq" ext_out_udp_ports = "{ domain, ntp }" ext_in_tcp_ports_from = "{ ftp-data, 1066 }" ext_in_tcp_ports_to = "{ ssh, auth, 19979,19969 }" ext_in_apache = "19989" egwene_in_udp_ports = "{ domain, ntp }" egwene_in_tcp_ports = "{ socks, 19999, 19985:19989, 6881:6889, 5900:5909, https, ssh, pop3, smtp }" egwene_out_tcp_ports = "{ 19975:19979, 19999 }" egwene_out_home_lan_services = "{ 19985:19989, 5900:5909 }" elayne_in_udp_ports = "{ domain, ntp }" elayne_in_tcp_ports = "{ socks, 19999, 19985:19989, 6881:6889, 5900:5909, https, ssh, nntp }" elayne_out_tcp_ports = "{ 19975:19979, 19999 }" elayne_out_home_lan_services = "{ 19985:19989, 5900:5909 }" #specific PCs nynaeve = "127.0.0.1/32" nynaeve_nic2 = "192.168.1.1/32" nynaeve_nic3 = "192.168.2.1/32" egwene = "192.168.1.2/32" rand = "192.168.1.3/32" elayne = "192.168.2.2/32" ###### #pf options set limit { frags 10000, states 10000 } set loginterface $ext_if set optimization normal set block-policy drop ####### #scrub packets scrub all fragment reassemble ###### #nat and redirection nat on $ext_if from $egwene_if:network to any -> ($ext_if) nat on $ext_if from $elayne_if:network to any -> ($ext_if) rdr on $ext_if proto tcp from any to ($ext_if) port www -> $nynaeve port 19989 ###### #rules block log all pass quick on $loopback_if all block in quick on $ext_if from $private_net to any block out quick on $ext_if from any to $private_net pass out quick on $ext_if inet proto udp from ($ext_if) to any port $ext_out_udp_ports keep state pass out quick on $ext_if inet proto tcp from ($ext_if) to any flags S/SA keep state pass in quick on $ext_if inet proto tcp from any port $ext_in_tcp_ports_from to ($ext_if) keep state pass in quick on $ext_if inet proto tcp from any to ($ext_if) port $ext_in_tcp_ports_to flags S/SA keep state pass in quick on $ext_if inet proto tcp from any to 127.0.0.1 port $ext_in_apache flags S/SA synproxy state pass in quick on $egwene_if inet proto udp from $egwene_if:network to $nynaeve_nic2 port $egwene_in_udp_ports keep state pass in quick on $egwene_if inet proto tcp from $egwene_if:network to any port $egwene_in_tcp_ports flags S/SA keep state pass out quick on $egwene_if inet proto tcp from $egwene_if:network to any port $egwene_out_tcp_ports flags S/SA keep state pass out quick on $egwene_if inet proto tcp from $elayne_if:network to $egwene_if:network port $egwene_out_home_lan_services flags S/SA keep state pass in quick on $egwene_if inet proto tcp from $nynaeve_nic2 port = socks to $egwene_if:network pass out quick on $elayne_if inet proto udp from $elayne_if:network to $nynaeve_nic3 port $elayne_in_udp_ports keep state pass in quick on $elayne_if inet proto tcp from $elayne_if:network to any port $elayne_in_tcp_ports flags S/SA keep state pass out quick on $elayne_if inet proto tcp from $elayne_if:network to any port $elayne_out_tcp_ports keep state pass out quick on $elayne_if inet proto tcp from $egwene_if:network to $elayne_if:network port $elayne_out_home_lan_services flags S/SA keep state pass in quick on $elayne_if inet proto tcp from $nynaeve_nic3 port = socks to $elayne_if:network #allow pings to go out pass out quick on $ext_if inet proto icmp from ($ext_if) to any icmp-type $icmp_types keep state pass in quick on $egwene_if inet proto icmp from $egwene_if:network to any icmp-type $icmp_types keep state pass in quick on $elayne_if inet proto icmp from $elayne_if:network to any icmp-type $icmp_types keep state #allow VNC coming in from outside world pass out quick on $egwene_if inet proto tcp from $nynaeve_nic2 to $egwene port = 5900 flags S/SA keep state pass out quick on $egwene_if inet proto tcp from $nynaeve_nic2 to $rand port = 5901 flags S/SA keep state pass out quick on $elayne_if inet proto tcp from $nynaeve_nic3 to $elayne port = 5905 flags S/SA keep state ============================= As can be seen above, "egwene" and "elayne" section have similar config except for interface and ip addresses. I have a 3rd PC which is connected to the "elayne section" and has a fresh install of Windows XP. This 3rd PC has been configured as: IP = 192.168.2.2 gateway = 192.168.2.1 dns = 192.168.2.1. Every time I run "tcpdump -i pflog0", the 3rd PC DNS requests is blocked. The output is something like: elayne.wot.blackjack > nynaeve_nic3.domain I can ping 192.168.1.1 and 192.168.2.1 and I can VNC from the 3rd PC to a 2nd PC in the network so this 3rd PC is connected to the network. I am not sure if only DNS request is the problem. I have a 2nd PC also running Windows XP and using: IP =192.168.1.2 gateway = 192.168.1.1 DNS = 192.168.1.1 This PC has no problems whatsoever with connecting to the internet and it has no problems with DNS queries. I then changed the 3rd PC's IP to 192.168.1.3 (using the same gateway and DNS server as the 2nd PC) and then proceed to connect the cat5 cable to the same switch where the 2nd PC is connected. Since the 2nd PC has no internet connection problems, it is safe to assume that the 3rd PC's DNS request won't be blocked. Well after running tcpdump again, DNS queries from the 3rd PC with the new IP is still getting blocked. As another test, I turn off the 3rd PC and changed the IP of the 2nd PC to 192.168.1.3 which is the same IP as the 3rd PC. Since DNS request from the 3rd PC is getting blocked, I am expecting that DNS request from the 3nd PC will be blocked now. Guess what? No problems at all. I know that somehow, WindowsXP is caching DNS that has been queried before. So when I tested it, I went to sites (e.g. www.bbc.co.uk or www.excite.com or www.yahoo.com or www.excite.co.jp) I haven't visited yet. Could the network card on the 3rd PC be faulty? But as I said above, I can ping 192.168.1.1 and 192.168.2.1 from the 3rd PC. And VNC from the 3rd PC to the 2nd PC is not a problem. Any help is appreciated. Thank you for the replies.