PF RULES! But mine doesn't ...

Giorgos Keramidas keramida at ceid.upatras.gr
Tue May 10 03:50:55 PDT 2005


On 2005-05-10 05:09, Fafa Hafiz Krantz <fteg at london.com> wrote:
>> It's a question of letting DNS traffic _in_ to your nameserver:
>>
>> pass in on $ext_if inet proto { tcp, udp } \
>> 	from any to ($ext_if) port 53
>>
>> ^^^ that lets the traffic in....
>>
>> pass out on $ext_if inet proto { tcp, udp } \
>> 	from ($ext_if) port 53 to any
>>
>> ^^^ and that lets it back out.
>>
>> If you add the "query-source address * port 53;" to your named.conf
>> "options" section, that'll suffice; additionally, since your DNS
>> query source port is then predictable, you can drop it from the DNS
>> and NTP rule.
>
> Hello again, Jan!
>
> Well, I tried applying what you said now as well as last time you
> said it -- but the problem is still there. Unless I uncomment the default
> deny policy nothing seems to work. The problem must lie elsewhere in my
> ruleset:

Show us the output of:

	# pfctl -sr

[snip ruleset]



More information about the freebsd-questions mailing list