Whats wrong with this ruleset?
Gerard Samuel
fbsd-pf at trini0.org
Wed Mar 2 02:25:26 GMT 2005
Max Laier wrote:
>On Wednesday 02 March 2005 00:14, Gerard Samuel wrote:
>
>
>>For some reason, port 53 is blocked going out of the external interface ->
>>000000 rule 0/0(match): block out on ed0: IP xx.xxx.xxx.xx.53 >
>>xx.xx.xx.xxx.4973
>>
>>Im still new to pf, but shouldn't the last two lines allow anything
>>going out
>>to pass??
>>Any ideas on how to fix?
>>
>>
>
>Can you send the output of "$pfctl -vsr" after some packets have been blocked?
>The match counters are extremely helpful when debugging such problems.
>
Just before this email came in, I changed the last 2 rules to ->
#pass out on $ext_if proto tcp all modulate state flags S/SA
#pass out on $ext_if proto {udp, icmp} all keep state
pass out on $ext_if proto {tcp, udp, icmp} all keep state
And it started working. I've changed it back, and I'll try what you've
suggested in
a few hours, when the dns servers start looking for updates...
More information about the freebsd-pf
mailing list