PF RULES! But mine doesn't ...

Fafa Hafiz Krantz fteg at london.com
Tue May 10 05:19:50 PDT 2005


----- Original Message -----
From: "Giorgos Keramidas" <keramida at ceid.upatras.gr>
To: "Fafa Hafiz Krantz" <fteg at london.com>, "Jan Grant" <Jan.Grant at bristol.ac.uk>
Subject: Re: PF RULES! But mine doesn't ...
Date: Tue, 10 May 2005 13:50:27 +0300

> 
> On 2005-05-10 05:09, Fafa Hafiz Krantz <fteg at london.com> wrote:
> >> It's a question of letting DNS traffic _in_ to your nameserver:
> >>
> >> pass in on $ext_if inet proto { tcp, udp } \
> >> 	from any to ($ext_if) port 53
> >>
> >> ^^^ that lets the traffic in....
> >>
> >> pass out on $ext_if inet proto { tcp, udp } \
> >> 	from ($ext_if) port 53 to any
> >>
> >> ^^^ and that lets it back out.
> >>
> >> If you add the "query-source address * port 53;" to your named.conf
> >> "options" section, that'll suffice; additionally, since your DNS
> >> query source port is then predictable, you can drop it from the DNS
> >> and NTP rule.
> >
> > Hello again, Jan!
> >
> > Well, I tried applying what you said now as well as last time you
> > said it -- but the problem is still there. Unless I uncomment the default
> > deny policy nothing seems to work. The problem must lie elsewhere in my
> > ruleset:
> 
> Show us the output of:
> 
> 	# pfctl -sr
> 
> [snip ruleset]

Hello!

# pfctl -sr

No ALTQ support in kernel
ALTQ related functions disabled
scrub in all fragment reassemble
block drop log all
pass quick on lo0 all
pass quick on ep0 all
pass out on lnc0 inet proto tcp from (lnc0) to any keep state
pass out on lnc0 inet proto udp from (lnc0) to any keep state
pass out on lnc0 inet proto icmp from (lnc0) to any keep state
pass in on lnc0 inet proto tcp from any to (lnc0) port = domain
pass in on lnc0 inet proto udp from any to (lnc0) port = domain
pass out on lnc0 inet proto tcp from (lnc0) port = domain to any
pass out on lnc0 inet proto udp from (lnc0) port = domain to any
pass out on lnc0 inet proto udp from (lnc0) to any port = domain keep state
pass out on lnc0 inet proto udp from (lnc0) to any port = ntp keep state
pass in on lnc0 inet proto tcp from any to (lnc0) port = ssh flags S/SA keep state
pass in on lnc0 inet proto tcp from any to (lnc0) port = http flags S/SA keep state
pass in on lnc0 inet proto tcp from any to (lnc0) port = auth flags S/SA keep state
pass in on lnc0 inet proto tcp from any port = ftp-data to (lnc0) user = 62 flags S/SA keep state
pass in on lnc0 proto tcp from any to any port = 31337 keep state
pass in on lnc0 proto tcp from any to any port 53333:55555

About the ALTQ thing, it should be in the kernel.
I just recompiled it with:

# *** Internet family options
#
device          pf              # OpenBSD PF firewall
device          pflog           # Logging support interface
device          altq            # Alternate queuing
device          gif             # IPv6 and IPv4 tunneling
device          faith           # IPv6-to-IPv4 translation
device          bpf             # Berkeley Packet Filter

Thanks!

--

Fafa Hafiz Krantz
  Research Designer @ http://www.home.no/barbershop
  Enlightened @ http://www.home.no/barbershop/smart/sharon.pdf


-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm



More information about the freebsd-questions mailing list