From owner-freebsd-pf@FreeBSD.ORG Wed Mar 2 02:25:26 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BC6316A4CE for ; Wed, 2 Mar 2005 02:25:26 +0000 (GMT) Received: from sccrmhc11.comcast.net (sccrmhc14.comcast.net [204.127.202.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id E797D43D53 for ; Wed, 2 Mar 2005 02:25:25 +0000 (GMT) (envelope-from fbsd-pf@trini0.org) Received: from hivemind.trini0.org ([65.34.205.195]) by comcast.net (sccrmhc14) with ESMTP id <2005030202252501400s9m4ke>; Wed, 2 Mar 2005 02:25:25 +0000 Received: from [192.168.0.16] (gladiator.trini0.org [192.168.0.16]) by hivemind.trini0.org (Postfix) with ESMTP id 784DE6112; Tue, 1 Mar 2005 21:25:24 -0500 (EST) Message-ID: <42252415.7030808@trini0.org> Date: Tue, 01 Mar 2005 21:25:25 -0500 From: Gerard Samuel User-Agent: Mozilla Thunderbird 1.0 (X11/20050122) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <4224F74B.1030502@trini0.org> <200503020248.01088.max@love2party.net> In-Reply-To: <200503020248.01088.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: Whats wrong with this ruleset? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 02:25:26 -0000 Max Laier wrote: >On Wednesday 02 March 2005 00:14, Gerard Samuel wrote: > > >>For some reason, port 53 is blocked going out of the external interface -> >>000000 rule 0/0(match): block out on ed0: IP xx.xxx.xxx.xx.53 > >>xx.xx.xx.xxx.4973 >> >>Im still new to pf, but shouldn't the last two lines allow anything >>going out >>to pass?? >>Any ideas on how to fix? >> >> > >Can you send the output of "$pfctl -vsr" after some packets have been blocked? >The match counters are extremely helpful when debugging such problems. > Just before this email came in, I changed the last 2 rules to -> #pass out on $ext_if proto tcp all modulate state flags S/SA #pass out on $ext_if proto {udp, icmp} all keep state pass out on $ext_if proto {tcp, udp, icmp} all keep state And it started working. I've changed it back, and I'll try what you've suggested in a few hours, when the dns servers start looking for updates...