[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf > pf beginner question

> So,
> pass in on xl0 inet proto {tcp, udp} from any to any port 53 keep state
> pass out on xl0 inet proto {tcp, udp} from any to any port 53 keep state
> should do the trick? But if I look at the dns queries from outside they are 
> generated from port 53 to a high-numbered port and thus will be blocked 
> with the above rules?
	Don't look at source packet, but destination.  In these you can see
port 53, where name service runs.
[[email protected]:root]# tcpdump -i eth0 -n port 53
tcpdump: listening on eth0
13:34:35.922231 >  46641+ A?
helio.loureiro.eng.br. (39) (DF)
13:34:35.929837 >  46641 2/5/4
CNAME[|domain] (DF)
	Here you can see a tcpdump from my Linux laptop (yes, Linux), where I
started a "nslookup".  My machine,, started connection
from port 1030 (any free port above 1024) to dns server,, port 53.
> I suppose this is generally available information that I somehow did not 
> pick up. However, fact remains that there is something more to the pf 
> ruleset than what I am used to from ipf.
	How I said, "keep state" looks like not working properly, so you can
add just a rule for outgoing packets.
Hélio Alexandre Lopes Loureiro [[email protected]]
Regional Software Supply & Integration
South America
Tel.: + 55 11 6224-1795 
Public Key ID: [email protected]http://search.keyserver.net