PF RULES! But mine doesn't ...

Jan Grant Jan.Grant at bristol.ac.uk
Tue May 10 03:37:35 PDT 2005


On Tue, 10 May 2005, Fafa Hafiz Krantz wrote:

> Ok, after having added that it seems that my DNS works.
> The same goes for my WWW and mail server.
> 
> SSH servers are all OK to connect to.
> 
> I have to wait like 5 minutes after booting my computer
> before I can connect to those certain FTP sites. What's
> that all about?
> 
> > If you add the "query-source address * port 53;" to your named.conf
> > "options" section, that'll suffice; additionally, since your DNS query
> > source port is then predictable, you can drop it from the DNS and NTP
> > rule.
> 
> What do you mean by that?

The rules I suggested are so that external machines can talk to your DNS 
server (querying about the domain it is authoritative for), and so that 
responses can get back to those machines.

Your nameserver, however, may also be trying to get requests out. When 
it does this, by default, it will use a random source-port. By 
specifying

options {
	query-source address * port 53;
}

in your named.conf, your nameserver will _also_ use port 53 as the 
source port on any requests _that it originates_. (That's the 
distinction). If you do this, then you won't need port 53 mentioned in 
your other "keep state" rule.

I suspect that this might actually be the cause of your transient FTP 
concern; you should try modifying your nameserver config before you go 
any further.

(This assumes that your resolv.conf is configured to use the local 
machine as a nameserver in the first instance. If that is not the case, 
then you will still need the port 53 clause in your "DNS and NTP" 
section, because other programs will use random ports in an attempt to 
get DNS queries out into the wild.)

> Anyway, it's pretty close to perfection now :)
> 
> Jan, any idea how I can simplify my ruleset?
> Also, I'm wondering if I can move the NAT part down below the Outgoing
> so I can combine it with the Active FTP ruleset so they don't have to be
> spread troughout the conf. Thanks!

Your ruleset looks pretty simple, to be honest.

I'm afraid that where the specifics of PF are concerned, I know nothing: 
the advice I've given you is just generic firewall stuff :-/ It looks to 
me like your PF config is set up to use some kind of FTP proxy running 
on localhost:8021. On the other hand, I could be barking up the wrong 
tree completely; I've pretty much run out of useful things to say about 
this config.

Cheers,
jan


-- 
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44 (0)117 9287088 (with luck)   http://ioctl.org/jan/
Prolog in JavaScript: http://ioctl.org/logic/prolog-latest


More information about the freebsd-questions mailing list