From owner-freebsd-questions@FreeBSD.ORG Tue May 10 10:50:55 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22B7416A4CE for ; Tue, 10 May 2005 10:50:55 +0000 (GMT) Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C35043D68 for ; Tue, 10 May 2005 10:50:43 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from orion.daedalusnetworks.priv (aris.bedc.ondsl.gr [62.103.39.226])j4AAmuCC010037; Tue, 10 May 2005 13:48:56 +0300 Received: from orion.daedalusnetworks.priv (orion [127.0.0.1]) j4AAoSLJ006208; Tue, 10 May 2005 13:50:28 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost)j4AAoRgf006207; Tue, 10 May 2005 13:50:27 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Tue, 10 May 2005 13:50:27 +0300 From: Giorgos Keramidas To: Fafa Hafiz Krantz , Jan Grant Message-ID: <20050510105027.GA6166@orion.daedalusnetworks.priv> References: <20050510101000.494C64BEAD@ws1-1.us4.outblaze.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050510101000.494C64BEAD@ws1-1.us4.outblaze.com> cc: freebsd-questions@freebsd.org Subject: Re: PF RULES! But mine doesn't ... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2005 10:50:55 -0000 On 2005-05-10 05:09, Fafa Hafiz Krantz wrote: >> It's a question of letting DNS traffic _in_ to your nameserver: >> >> pass in on $ext_if inet proto { tcp, udp } \ >> from any to ($ext_if) port 53 >> >> ^^^ that lets the traffic in.... >> >> pass out on $ext_if inet proto { tcp, udp } \ >> from ($ext_if) port 53 to any >> >> ^^^ and that lets it back out. >> >> If you add the "query-source address * port 53;" to your named.conf >> "options" section, that'll suffice; additionally, since your DNS >> query source port is then predictable, you can drop it from the DNS >> and NTP rule. > > Hello again, Jan! > > Well, I tried applying what you said now as well as last time you > said it -- but the problem is still there. Unless I uncomment the default > deny policy nothing seems to work. The problem must lie elsewhere in my > ruleset: Show us the output of: # pfctl -sr [snip ruleset]