From owner-freebsd-questions@FreeBSD.ORG Tue May 10 13:40:14 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDFCD16A4CE for ; Tue, 10 May 2005 13:40:14 +0000 (GMT) Received: from webmail-outgoing.us4.outblaze.com (webmail-outgoing.us4.outblaze.com [205.158.62.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FEE443D7F for ; Tue, 10 May 2005 13:40:14 +0000 (GMT) (envelope-from fteg@london.com) Received: from unknown (unknown [192.168.9.180])AD1051800292 for ; Tue, 10 May 2005 13:40:12 +0000 (GMT) X-OB-Received: from unknown (205.158.62.49) by wfilter.us4.outblaze.com; 10 May 2005 13:40:09 -0000 Received: by ws1-1.us4.outblaze.com (Postfix, from userid 1001) id 6EFB54BEAF; Tue, 10 May 2005 13:40:09 +0000 (GMT) Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 X-Mailer: MIME::Lite 2.117 (F2.6; A1.17; B2.12; Q2.03) Received: from [213.187.181.70] by ws1-1.us4.outblaze.com with http for fteg@london.com; Tue, 10 May 2005 08:40:08 -0500 X-Mailer: mail.com webmail From: "Fafa Hafiz Krantz" To: "Jan Grant" Date: Tue, 10 May 2005 08:40:08 -0500 X-Originating-Ip: 213.187.181.70 X-Originating-Server: ws1-1.us4.outblaze.com Message-Id: <20050510134009.6EFB54BEAF@ws1-1.us4.outblaze.com> cc: questions@freebsd.org Subject: Re: PF RULES! But mine doesn't ... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2005 13:40:14 -0000 > The rules I suggested are so that external machines can talk to your DNS > server (querying about the domain it is authoritative for), and so that > responses can get back to those machines. >=20 > Your nameserver, however, may also be trying to get requests out. When > it does this, by default, it will use a random source-port. By > specifying >=20 > options { > query-source address * port 53; > } >=20 > in your named.conf, your nameserver will _also_ use port 53 as the > source port on any requests _that it originates_. (That's the > distinction). If you do this, then you won't need port 53 mentioned in > your other "keep state" rule. >=20 > I suspect that this might actually be the cause of your transient FTP > concern; you should try modifying your nameserver config before you go > any further. Great :) Thanks man, I'll try that. Isn't this something that ought to be in every named.conf? What ports do it go to by default? > (This assumes that your resolv.conf is configured to use the local > machine as a nameserver in the first instance. If that is not the case, > then you will still need the port 53 clause in your "DNS and NTP" > section, because other programs will use random ports in an attempt to > get DNS queries out into the wild.) No, my resolv.conf contains my ISP's nameservers. > Your ruleset looks pretty simple, to be honest. I've heard many experts say 'your ruleset looks like shit', maybe because they're jealous of my nice headers ;) Ok, so now my named.conf's option looks like this: options { directory "/etc/namedb"; pid-file "/var/run/named/pid"; query-source address * port 53; }; Should I specify where to log to? Because it doesn't log. > I'm afraid that where the specifics of PF are concerned, I know nothing: > the advice I've given you is just generic firewall stuff :-/ It looks to > me like your PF config is set up to use some kind of FTP proxy running > on localhost:8021. On the other hand, I could be barking up the wrong > tree completely; I've pretty much run out of useful things to say about > this config. Well you do seem to me like a jack of all trades. Have a wonderful day! :) -- Fafa Hafiz Krantz Research Designer @ http://www.home.no/barbershop Enlightened @ http://www.home.no/barbershop/smart/sharon.pdf --=20 ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm