Date: Tue, 10 May 2005 13:50:27 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Fafa Hafiz Krantz <fteg@london.com>, Jan Grant <Jan.Grant@bristol.ac.uk> Cc: freebsd-questions@freebsd.org Subject: Re: PF RULES! But mine doesn't ... Message-ID: <20050510105027.GA6166@orion.daedalusnetworks.priv> In-Reply-To: <20050510101000.494C64BEAD@ws1-1.us4.outblaze.com> References: <20050510101000.494C64BEAD@ws1-1.us4.outblaze.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2005-05-10 05:09, Fafa Hafiz Krantz <fteg@london.com> wrote:
>> It's a question of letting DNS traffic _in_ to your nameserver:
>>
>> pass in on $ext_if inet proto { tcp, udp } \
>> from any to ($ext_if) port 53
>>
>> ^^^ that lets the traffic in....
>>
>> pass out on $ext_if inet proto { tcp, udp } \
>> from ($ext_if) port 53 to any
>>
>> ^^^ and that lets it back out.
>>
>> If you add the "query-source address * port 53;" to your named.conf
>> "options" section, that'll suffice; additionally, since your DNS
>> query source port is then predictable, you can drop it from the DNS
>> and NTP rule.
>
> Hello again, Jan!
>
> Well, I tried applying what you said now as well as last time you
> said it -- but the problem is still there. Unless I uncomment the default
> deny policy nothing seems to work. The problem must lie elsewhere in my
> ruleset:
Show us the output of:
# pfctl -sr
[snip ruleset]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050510105027.GA6166>