Whats wrong with this ruleset?
Gerard Samuel
fbsd-pf at trini0.org
Wed Mar 2 04:16:44 GMT 2005
Max Laier wrote:
>On Wednesday 02 March 2005 00:14, Gerard Samuel wrote:
>
>
>>For some reason, port 53 is blocked going out of the external interface ->
>>000000 rule 0/0(match): block out on ed0: IP xx.xxx.xxx.xx.53 >
>>xx.xx.xx.xxx.4973
>>
>>Im still new to pf, but shouldn't the last two lines allow anything
>>going out
>>to pass??
>>Any ideas on how to fix?
>>
>>
>
>Can you send the output of "$pfctl -vsr" after some packets have been blocked?
>The match counters are extremely helpful when debugging such problems.
>
Ok, here is the output ->
gatekeeper# pfctl -vsr
No ALTQ support in kernel
ALTQ related functions disabled
scrub in all fragment reassemble
[ Evaluations: 12507 Packets: 6644 Bytes: 0 States:
0 ]
block return log all
[ Evaluations: 1503 Packets: 260 Bytes: 22541 States:
0 ]
pass quick on lo0 all
[ Evaluations: 1503 Packets: 128 Bytes: 13700 States:
0 ]
block drop in quick on ed0 inet from 127.0.0.0/8 to any
[ Evaluations: 1375 Packets: 0 Bytes: 0 States:
0 ]
block drop in quick on ed0 inet from 192.168.0.0/16 to any
[ Evaluations: 628 Packets: 0 Bytes: 0 States:
0 ]
block drop in quick on ed0 inet from 172.16.0.0/12 to any
[ Evaluations: 628 Packets: 0 Bytes: 0 States:
0 ]
block drop in quick on ed0 inet from 10.0.0.0/8 to any
[ Evaluations: 628 Packets: 319 Bytes: 117104 States:
0 ]
block drop out quick on ed0 inet from any to 127.0.0.0/8
[ Evaluations: 682 Packets: 0 Bytes: 0 States:
0 ]
block drop out quick on ed0 inet from any to 192.168.0.0/16
[ Evaluations: 373 Packets: 0 Bytes: 0 States:
0 ]
block drop out quick on ed0 inet from any to 172.16.0.0/12
[ Evaluations: 373 Packets: 0 Bytes: 0 States:
0 ]
block drop out quick on ed0 inet from any to 10.0.0.0/8
[ Evaluations: 373 Packets: 0 Bytes: 0 States:
0 ]
pass in on ed0 inet proto tcp from any to (ed0) port = ssh flags S/SA
keep state
[ Evaluations: 682 Packets: 0 Bytes: 0 States:
0 ]
pass in on ed0 inet proto tcp from any to (ed0) port = auth flags S/SA
keep state
[ Evaluations: 243 Packets: 0 Bytes: 0 States:
0 ]
pass in on ed0 inet proto udp from xx.xx.xx.xx to any port = bootpc
[ Evaluations: 309 Packets: 0 Bytes: 0 States:
0 ]
pass in on ed0 proto tcp from any to any port = ssh
[ Evaluations: 309 Packets: 0 Bytes: 0 States:
0 ]
pass in on ed0 proto tcp from any to any port = domain
[ Evaluations: 259 Packets: 210 Bytes: 10392 States:
0 ]
pass in on ed0 proto udp from any to any port = domain
[ Evaluations: 260 Packets: 35 Bytes: 2367 States:
0 ]
pass in on ed0 proto tcp from any to any port = smtp
[ Evaluations: 309 Packets: 294 Bytes: 100871 States:
0 ]
pass in on ed0 proto tcp from any to any port = pop3
[ Evaluations: 259 Packets: 0 Bytes: 0 States:
0 ]
pass in on ed0 inet proto tcp from any to 10.0.0.1 port = http flags
S/SA synproxy state
[ Evaluations: 259 Packets: 54 Bytes: 25986 States:
0 ]
pass in inet proto icmp all icmp-type echoreq keep state
[ Evaluations: 683 Packets: 0 Bytes: 0 States:
0 ]
pass in on fxp0 inet from 192.168.0.0/16 to any keep state
[ Evaluations: 664 Packets: 3099 Bytes: 1026733 States:
33 ]
pass in on fxp0 inet from 10.0.0.0/24 to any keep state
[ Evaluations: 355 Packets: 0 Bytes: 0 States:
0 ]
pass out on fxp0 inet from any to 192.168.0.0/16 keep state
[ Evaluations: 747 Packets: 296 Bytes: 100967 States:
0 ]
pass out on fxp0 inet from any to 10.0.0.0/24 keep state
[ Evaluations: 19 Packets: 126 Bytes: 51074 States:
1 ]
pass out on ed0 proto tcp all flags S/SA modulate state
[ Evaluations: 701 Packets: 1660 Bytes: 837928 States:
13 ]
pass out on ed0 proto udp all keep state
[ Evaluations: 373 Packets: 261 Bytes: 40969 States:
3 ]
pass out on ed0 proto icmp all keep state
[ Evaluations: 373 Packets: 38 Bytes: 3192 States:
0 ]
More information about the freebsd-pf
mailing list