From owner-freebsd-pf@FreeBSD.ORG Thu Apr 12 22:42:19 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 25EAE16A407 for ; Thu, 12 Apr 2007 22:42:19 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-defer01.adhost.com (mail-defer01.adhost.com [216.211.128.150]) by mx1.freebsd.org (Postfix) with ESMTP id F349313C48A for ; Thu, 12 Apr 2007 22:42:18 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in08.adhost.com (mail-in08.adhost.com [10.211.128.141]) by mail-defer01.adhost.com (Postfix) with ESMTP id EAB10ED415 for ; Thu, 12 Apr 2007 15:09:46 -0700 (PDT) (envelope-from mksmith@adhost.com) Received: from ad-exh01.adhost.lan (unknown [216.211.143.69]) by mail-in08.adhost.com (Postfix) with ESMTP id A9D878FC3C; Thu, 12 Apr 2007 15:09:46 -0700 (PDT) (envelope-from mksmith@adhost.com) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-class: urn:content-classes:message Date: Thu, 12 Apr 2007 15:09:39 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Message-ID: <17838240D9A5544AAA5FF95F8D52031601E22854@ad-exh01.adhost.lan> In-Reply-To: <004a01c77cba$5480ffd0$0610a8c0@chepkov.lan> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: DMZ problem Thread-Index: Acd8umuXIla38PFoQjayZvMccvFDJgAk+6lA References: <004a01c77cba$5480ffd0$0610a8c0@chepkov.lan> From: "Michael K. Smith - Adhost" To: "Vadym Chepkov" , Cc: Subject: RE: DMZ problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2007 22:42:19 -0000 Hello Vadym: > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > pf@freebsd.org] On Behalf Of Vadym Chepkov > Sent: Wednesday, April 11, 2007 9:24 PM > To: freebsd-pf@freebsd.org > Subject: DMZ problem >=20 > Hello everyone, >=20 > I earlier asked a question about Amanda, still hasn't solved it, but it > seems I have a bigger problem, I obviously doing something wrong here, > maybe > by fixing this issue I will be able to fix it as well. >=20 > I discovered my secondary DNS server, which is located outside of our > network, is not able to transfer zone file from the primary DNS server, > which is located in our DMZ. My DMZ rules are build on "inversed" > logic, > since I want to limit access to it from all interfaces (we have many of > them), so I don't want to duplicate "in" rules on all other interfaces > for > the DMZ. > I reduced my pf.conf to the bare minimum, and yes, if I disable pf, I > am > able axfr zone right away. > This is the actual pf.conf that I am testing with, and it doesn't work. > And > what is very frustrated, pflog is silent. I don't see anything being > dropped >=20 > ----------------------------- > dmz_if=3D"em0" > wan_if=3D"bge0" >=20 > set optimization normal > set block-policy return > set skip on lo > scrub in >=20 > block in log on $wan_if > pass out on $wan_if from { $wan_if $dmz_if:network } keep state > # DMZ has it's own rules > pass in on $wan_if to $dmz_if:network >=20 > # SSH so I can login back > pass in quick on $wan_if proto tcp to port ssh flags S/SA keep state >=20 > # DMZ > block out log on $dmz_if > pass in on $dmz_if keep state > pass out quick on $dmz_if proto tcp to port domain flags S/SA keep > state > pass out quick on $dmz_if proto udp to port domain keep state >=20 > -------------------------------- >=20 You might want to try: pass out log quick on $dmz_if prot udp from any to any port 53 keep state pass out log quick on $wan_if prot udp from any to any port 53 keep state You could also ratchet down the source and destination IP addresses instead of using the interfaces if you wanted to be more granular. Mike