Date: Tue, 01 Mar 2005 23:16:39 -0500 From: Gerard Samuel <fbsd-pf@trini0.org> To: Max Laier <max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: Whats wrong with this ruleset? Message-ID: <42253E27.9080506@trini0.org> In-Reply-To: <200503020248.01088.max@love2party.net> References: <4224F74B.1030502@trini0.org> <200503020248.01088.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Max Laier wrote: >On Wednesday 02 March 2005 00:14, Gerard Samuel wrote: > > >>For some reason, port 53 is blocked going out of the external interface -> >>000000 rule 0/0(match): block out on ed0: IP xx.xxx.xxx.xx.53 > >>xx.xx.xx.xxx.4973 >> >>Im still new to pf, but shouldn't the last two lines allow anything >>going out >>to pass?? >>Any ideas on how to fix? >> >> > >Can you send the output of "$pfctl -vsr" after some packets have been blocked? >The match counters are extremely helpful when debugging such problems. > Ok, here is the output -> gatekeeper# pfctl -vsr No ALTQ support in kernel ALTQ related functions disabled scrub in all fragment reassemble [ Evaluations: 12507 Packets: 6644 Bytes: 0 States: 0 ] block return log all [ Evaluations: 1503 Packets: 260 Bytes: 22541 States: 0 ] pass quick on lo0 all [ Evaluations: 1503 Packets: 128 Bytes: 13700 States: 0 ] block drop in quick on ed0 inet from 127.0.0.0/8 to any [ Evaluations: 1375 Packets: 0 Bytes: 0 States: 0 ] block drop in quick on ed0 inet from 192.168.0.0/16 to any [ Evaluations: 628 Packets: 0 Bytes: 0 States: 0 ] block drop in quick on ed0 inet from 172.16.0.0/12 to any [ Evaluations: 628 Packets: 0 Bytes: 0 States: 0 ] block drop in quick on ed0 inet from 10.0.0.0/8 to any [ Evaluations: 628 Packets: 319 Bytes: 117104 States: 0 ] block drop out quick on ed0 inet from any to 127.0.0.0/8 [ Evaluations: 682 Packets: 0 Bytes: 0 States: 0 ] block drop out quick on ed0 inet from any to 192.168.0.0/16 [ Evaluations: 373 Packets: 0 Bytes: 0 States: 0 ] block drop out quick on ed0 inet from any to 172.16.0.0/12 [ Evaluations: 373 Packets: 0 Bytes: 0 States: 0 ] block drop out quick on ed0 inet from any to 10.0.0.0/8 [ Evaluations: 373 Packets: 0 Bytes: 0 States: 0 ] pass in on ed0 inet proto tcp from any to (ed0) port = ssh flags S/SA keep state [ Evaluations: 682 Packets: 0 Bytes: 0 States: 0 ] pass in on ed0 inet proto tcp from any to (ed0) port = auth flags S/SA keep state [ Evaluations: 243 Packets: 0 Bytes: 0 States: 0 ] pass in on ed0 inet proto udp from xx.xx.xx.xx to any port = bootpc [ Evaluations: 309 Packets: 0 Bytes: 0 States: 0 ] pass in on ed0 proto tcp from any to any port = ssh [ Evaluations: 309 Packets: 0 Bytes: 0 States: 0 ] pass in on ed0 proto tcp from any to any port = domain [ Evaluations: 259 Packets: 210 Bytes: 10392 States: 0 ] pass in on ed0 proto udp from any to any port = domain [ Evaluations: 260 Packets: 35 Bytes: 2367 States: 0 ] pass in on ed0 proto tcp from any to any port = smtp [ Evaluations: 309 Packets: 294 Bytes: 100871 States: 0 ] pass in on ed0 proto tcp from any to any port = pop3 [ Evaluations: 259 Packets: 0 Bytes: 0 States: 0 ] pass in on ed0 inet proto tcp from any to 10.0.0.1 port = http flags S/SA synproxy state [ Evaluations: 259 Packets: 54 Bytes: 25986 States: 0 ] pass in inet proto icmp all icmp-type echoreq keep state [ Evaluations: 683 Packets: 0 Bytes: 0 States: 0 ] pass in on fxp0 inet from 192.168.0.0/16 to any keep state [ Evaluations: 664 Packets: 3099 Bytes: 1026733 States: 33 ] pass in on fxp0 inet from 10.0.0.0/24 to any keep state [ Evaluations: 355 Packets: 0 Bytes: 0 States: 0 ] pass out on fxp0 inet from any to 192.168.0.0/16 keep state [ Evaluations: 747 Packets: 296 Bytes: 100967 States: 0 ] pass out on fxp0 inet from any to 10.0.0.0/24 keep state [ Evaluations: 19 Packets: 126 Bytes: 51074 States: 1 ] pass out on ed0 proto tcp all flags S/SA modulate state [ Evaluations: 701 Packets: 1660 Bytes: 837928 States: 13 ] pass out on ed0 proto udp all keep state [ Evaluations: 373 Packets: 261 Bytes: 40969 States: 3 ] pass out on ed0 proto icmp all keep state [ Evaluations: 373 Packets: 38 Bytes: 3192 States: 0 ]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42253E27.9080506>