Date: Tue, 01 Mar 2005 21:25:25 -0500 From: Gerard Samuel <fbsd-pf@trini0.org> To: Max Laier <max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: Whats wrong with this ruleset? Message-ID: <42252415.7030808@trini0.org> In-Reply-To: <200503020248.01088.max@love2party.net> References: <4224F74B.1030502@trini0.org> <200503020248.01088.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Max Laier wrote:
>On Wednesday 02 March 2005 00:14, Gerard Samuel wrote:
>
>
>>For some reason, port 53 is blocked going out of the external interface ->
>>000000 rule 0/0(match): block out on ed0: IP xx.xxx.xxx.xx.53 >
>>xx.xx.xx.xxx.4973
>>
>>Im still new to pf, but shouldn't the last two lines allow anything
>>going out
>>to pass??
>>Any ideas on how to fix?
>>
>>
>
>Can you send the output of "$pfctl -vsr" after some packets have been blocked?
>The match counters are extremely helpful when debugging such problems.
>
Just before this email came in, I changed the last 2 rules to ->
#pass out on $ext_if proto tcp all modulate state flags S/SA
#pass out on $ext_if proto {udp, icmp} all keep state
pass out on $ext_if proto {tcp, udp, icmp} all keep state
And it started working. I've changed it back, and I'll try what you've
suggested in
a few hours, when the dns servers start looking for updates...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42252415.7030808>