From owner-freebsd-questions@FreeBSD.ORG Tue May 10 10:23:50 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFAA716A4CE for ; Tue, 10 May 2005 10:23:50 +0000 (GMT) Received: from webmail-outgoing.us4.outblaze.com (webmail-outgoing.us4.outblaze.com [205.158.62.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 96E9C43D6B for ; Tue, 10 May 2005 10:23:50 +0000 (GMT) (envelope-from fteg@london.com) Received: from unknown (unknown [192.168.9.180])89B6418001B7 for ; Tue, 10 May 2005 10:23:50 +0000 (GMT) X-OB-Received: from unknown (205.158.62.49) by wfilter.us4.outblaze.com; 10 May 2005 10:23:50 -0000 Received: by ws1-1.us4.outblaze.com (Postfix, from userid 1001) id 78EB24BEAD; Tue, 10 May 2005 10:23:50 +0000 (GMT) Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 X-Mailer: MIME::Lite 2.117 (F2.6; A1.17; B2.12; Q2.03) Received: from [213.187.181.70] by ws1-1.us4.outblaze.com with http for fteg@london.com; Tue, 10 May 2005 05:23:50 -0500 X-Mailer: mail.com webmail From: "Fafa Hafiz Krantz" To: "Jan Grant" Date: Tue, 10 May 2005 05:23:50 -0500 X-Originating-Ip: 213.187.181.70 X-Originating-Server: ws1-1.us4.outblaze.com Message-Id: <20050510102350.78EB24BEAD@ws1-1.us4.outblaze.com> cc: questions@freebsd.org Subject: Re: PF RULES! But mine doesn't ... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2005 10:23:50 -0000 > It's a question of letting DNS traffic _in_ to your nameserver: > > pass in on $ext_if inet proto { tcp, udp } \ > from any to ($ext_if) port 53 >=20 > ^^^ that lets the traffic in.... >=20 > pass out on $ext_if inet proto { tcp, udp } \ > from ($ext_if) port 53 to any >=20 > ^^^ and that lets it back out. Ok, after having added that it seems that my DNS works. The same goes for my WWW and mail server. SSH servers are all OK to connect to. I have to wait like 5 minutes after booting my computer before I can connect to those certain FTP sites. What's that all about? > If you add the "query-source address * port 53;" to your named.conf > "options" section, that'll suffice; additionally, since your DNS query > source port is then predictable, you can drop it from the DNS and NTP > rule. What do you mean by that? Anyway, it's pretty close to perfection now :) Jan, any idea how I can simplify my ruleset? Also, I'm wondering if I can move the NAT part down below the Outgoing so I can combine it with the Active FTP ruleset so they don't have to be spread troughout the conf. Thanks! -- Fafa Hafiz Krantz Research Designer @ http://www.home.no/barbershop Enlightened @ http://www.home.no/barbershop/smart/sharon.pdf --=20 ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm