PC dns request is getting blocked

Jayel Villamin jarthel at gmail.com
Sun Mar 6 20:42:09 GMT 2005 

pf.conf contents
=====================
######
#macros

#interfaces
ext_if = "tun0"
egwene_if = "xl1"
elayne_if = "xl2"
loopback_if = "lo0"

#private networks
private_net = "{ 192.168.0.0/16, 172.16.0.0/12, 127.0.0.0/8,
10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23,
224.0.0.0/3 }"

#network services
icmp_types = "echoreq"

ext_out_udp_ports = "{ domain, ntp }"
ext_in_tcp_ports_from = "{ ftp-data, 1066 }"
ext_in_tcp_ports_to = "{ ssh, auth, 19979,19969 }"
ext_in_apache = "19989"

egwene_in_udp_ports = "{ domain, ntp }"
egwene_in_tcp_ports = "{ socks, 19999, 19985:19989, 6881:6889,
5900:5909, https, ssh, pop3, smtp }"
egwene_out_tcp_ports = "{ 19975:19979, 19999 }"
egwene_out_home_lan_services = "{ 19985:19989, 5900:5909 }"

elayne_in_udp_ports = "{ domain, ntp }"
elayne_in_tcp_ports = "{ socks, 19999, 19985:19989, 6881:6889,
5900:5909, https, ssh, nntp }"
elayne_out_tcp_ports = "{ 19975:19979, 19999 }"
elayne_out_home_lan_services = "{ 19985:19989, 5900:5909 }"

#specific PCs
nynaeve = "127.0.0.1/32"
nynaeve_nic2 = "192.168.1.1/32"
nynaeve_nic3 = "192.168.2.1/32"
egwene = "192.168.1.2/32"
rand = "192.168.1.3/32"
elayne = "192.168.2.2/32"

######
#pf options
set limit { frags 10000, states 10000 }
set loginterface $ext_if
set optimization normal
set block-policy drop

#######
#scrub packets
scrub all fragment reassemble

######
#nat and redirection
nat on $ext_if from $egwene_if:network to any -> ($ext_if)
nat on $ext_if from $elayne_if:network to any -> ($ext_if)

rdr on $ext_if proto tcp from any to ($ext_if) port www -> $nynaeve port 19989

######
#rules
block log all

pass quick on $loopback_if all

block in  quick on $ext_if from $private_net to any
block out quick on $ext_if from any to $private_net

pass out quick on $ext_if inet proto udp from ($ext_if) to any port
$ext_out_udp_ports keep state
pass out quick on $ext_if inet proto tcp from ($ext_if) to any flags
S/SA keep state
pass in quick on $ext_if inet proto tcp from any port
$ext_in_tcp_ports_from to ($ext_if) keep state
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
$ext_in_tcp_ports_to flags S/SA keep state
pass in quick on $ext_if inet proto tcp from any to 127.0.0.1 port
$ext_in_apache flags S/SA synproxy state

pass in quick on $egwene_if inet proto udp from $egwene_if:network to
$nynaeve_nic2 port $egwene_in_udp_ports keep state
pass in quick on $egwene_if inet proto tcp from $egwene_if:network to
any port $egwene_in_tcp_ports flags S/SA keep state
pass out quick on $egwene_if inet proto tcp from $egwene_if:network to
any port $egwene_out_tcp_ports flags S/SA keep state
pass out quick on $egwene_if inet proto tcp from $elayne_if:network to
$egwene_if:network port $egwene_out_home_lan_services flags S/SA keep
state
pass in quick on $egwene_if inet proto tcp from $nynaeve_nic2 port =
socks to $egwene_if:network

pass out quick on $elayne_if inet proto udp from $elayne_if:network to
$nynaeve_nic3 port $elayne_in_udp_ports keep state
pass in quick on $elayne_if inet proto tcp from $elayne_if:network to
any port $elayne_in_tcp_ports flags S/SA keep state
pass out quick on $elayne_if inet proto tcp from $elayne_if:network to
any port $elayne_out_tcp_ports keep state
pass out quick on $elayne_if inet proto tcp from $egwene_if:network to
$elayne_if:network port $elayne_out_home_lan_services flags S/SA keep
state
pass in quick on $elayne_if inet proto tcp from $nynaeve_nic3 port =
socks to $elayne_if:network

#allow pings to go out
pass out quick on $ext_if inet proto icmp from ($ext_if) to any
icmp-type $icmp_types keep state
pass in quick on $egwene_if inet proto icmp from $egwene_if:network to
any icmp-type $icmp_types keep state
pass in quick on $elayne_if inet proto icmp from $elayne_if:network to
any icmp-type $icmp_types keep state

#allow VNC coming in from outside world
pass out quick on $egwene_if inet proto tcp from $nynaeve_nic2 to
$egwene port = 5900 flags S/SA keep state
pass out quick on $egwene_if inet proto tcp from $nynaeve_nic2 to
$rand port = 5901 flags S/SA keep state
pass out quick on $elayne_if inet proto tcp from $nynaeve_nic3 to
$elayne port = 5905 flags S/SA keep state
=============================
As can be seen above, "egwene" and "elayne" section have similar
config except for interface and ip addresses.

I have a 3rd PC which is connected to the "elayne section" and has a
fresh install of Windows XP. This 3rd PC has been configured as:
IP = 192.168.2.2
gateway = 192.168.2.1
dns = 192.168.2.1.

Every time I run "tcpdump -i pflog0", the 3rd PC DNS requests is
blocked. The output is something like:
elayne.wot.blackjack > nynaeve_nic3.domain
I can ping 192.168.1.1 and 192.168.2.1 and I can VNC from the 3rd PC
to a 2nd PC in the network so this 3rd PC is connected to the network.
I am not sure if only DNS request is the problem.

I have a 2nd PC also running Windows XP and using:
IP =192.168.1.2
gateway = 192.168.1.1
DNS = 192.168.1.1
This PC has no problems whatsoever with connecting to the internet and
it has no problems with DNS queries.

I then changed the 3rd PC's IP to 192.168.1.3 (using the same gateway
and DNS server as the 2nd PC) and then proceed to connect the cat5
cable to the same switch where the 2nd PC is connected. Since the 2nd
PC has no internet connection problems, it is safe to assume that the
3rd PC's DNS request won't be blocked.

Well after running tcpdump again, DNS queries from the 3rd PC with the
new IP is still getting blocked.

As another test, I turn off the 3rd PC and changed the IP of the 2nd
PC to 192.168.1.3 which is the same IP as the 3rd PC. Since DNS
request from the 3rd PC is getting blocked, I am expecting that DNS
request from the 3nd PC will be blocked now.

Guess what? No problems at all. I know that somehow, WindowsXP is
caching DNS that has been queried before. So when I tested it, I went
to sites (e.g. www.bbc.co.uk or www.excite.com or www.yahoo.com or
www.excite.co.jp) I haven't visited yet.

Could the network card on the 3rd PC be faulty? But as I said above, I
can ping 192.168.1.1 and 192.168.2.1 from the 3rd PC. And VNC from the
3rd PC to the 2nd PC is not a problem.

Any help is appreciated. Thank you for the replies.

More information about the freebsd-pf mailing list