From owner-freebsd-pf@FreeBSD.ORG Thu Apr 12 04:23:44 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E0E8D16A401 for ; Thu, 12 Apr 2007 04:23:44 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.232]) by mx1.freebsd.org (Postfix) with ESMTP id A3AD813C458 for ; Thu, 12 Apr 2007 04:23:44 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so401515wxc for ; Wed, 11 Apr 2007 21:23:44 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=lOWF6ZMHq3JMQttfzTVJp5IevJ4MXYlF2RhWlGauCK9HaGC1bt0I1AocWCwe6vMHxEnoccCC4k0Mb3habaN0FZVyXMS6AGl/yD+6HZQYqdQNZkqQdcldcZN7yWbmn97j9zhA+9CLICbrCIxivEnNBma+B5tXw00LMHPzmTxiabo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=Iep3aTRS9hvFdKF85E4ydjcvt788/58QaxnNDZTdi+MpPZwSP9hs8W7MYut4Wekz5KCa/jDx79eDzsFynEJkiQotqvC4whbD+0IAc13mKse9M2ZLWEVOQT+j8VQ06YsXw5hsazrTp601aGtSFT1v1IVmpVy4j2qhzsgUwNba34s= Received: by 10.70.99.9 with SMTP id w9mr2541475wxb.1176351824109; Wed, 11 Apr 2007 21:23:44 -0700 (PDT) Received: from d600 ( [72.73.17.59]) by mx.google.com with ESMTP id h39sm522689wxd.2007.04.11.21.23.43; Wed, 11 Apr 2007 21:23:43 -0700 (PDT) Message-ID: <004a01c77cba$5480ffd0$0610a8c0@chepkov.lan> From: "Vadym Chepkov" To: Date: Thu, 12 Apr 2007 00:23:31 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="Windows-1252"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Subject: DMZ problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2007 04:23:45 -0000 Hello everyone, I earlier asked a question about Amanda, still hasn't solved it, but it seems I have a bigger problem, I obviously doing something wrong here, maybe by fixing this issue I will be able to fix it as well. I discovered my secondary DNS server, which is located outside of our network, is not able to transfer zone file from the primary DNS server, which is located in our DMZ. My DMZ rules are build on "inversed" logic, since I want to limit access to it from all interfaces (we have many of them), so I don't want to duplicate "in" rules on all other interfaces for the DMZ. I reduced my pf.conf to the bare minimum, and yes, if I disable pf, I am able axfr zone right away. This is the actual pf.conf that I am testing with, and it doesn't work. And what is very frustrated, pflog is silent. I don't see anything being dropped ----------------------------- dmz_if="em0" wan_if="bge0" set optimization normal set block-policy return set skip on lo scrub in block in log on $wan_if pass out on $wan_if from { $wan_if $dmz_if:network } keep state # DMZ has it's own rules pass in on $wan_if to $dmz_if:network # SSH so I can login back pass in quick on $wan_if proto tcp to port ssh flags S/SA keep state # DMZ block out log on $dmz_if pass in on $dmz_if keep state pass out quick on $dmz_if proto tcp to port domain flags S/SA keep state pass out quick on $dmz_if proto udp to port domain keep state -------------------------------- Could you tell me what is wrong with these rules, please Thank you, Vadym Chepkov