[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenBSD 3.2 & DNS.



look below
On Mon, 7 Apr 2003, Richard Gutery wrote:
> Thanks for all suggestions, but alas I'm still brain dead and can't see the
> forest for the trees.
>
>  I'm enclosing the contents of pf.conf. Maybe someone can see something that
> I'm completely missing - ARGH!!!
>
> # ne3 = External Net xxx.xxx.xxx.0/255.255.252.0
> # vr0 = Internal Net yyy.yyy.yyy.0/255.255.255.0
>
>  FTPPORTS = "{ 55000 >< 57000 }"
>
> # NORMALIZE the Universe
>  scrub in all
>
> # NAT:
>  nat on ne3 inet from yyy.yyy.yyy.0/24 to any -> ne3
>
> # RDR:
>
>  rdr on vr0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
>  rdr on ne3 proto tcp from any to xxx.xxx.xxx.0/24 port 21  -> \
> 	yyy.yyy.yyy.249 port 21
>  rdr on ne3 proto tcp from any to xxx.xxx.xxx.0/24 port   25 -> \
> 	yyy.yyy.yyy.250 port 25
>  rdr on ne3 proto tcp from any to xxx.xxx.xxx.0/24 port  110 -> \
> 	yyy.yyy.yyy.250 port 110
>  rdr on ne3 proto tcp from any to xxx.xxx.xxx.0/24 port   80 -> \
> 	yyy.yyy.yyy.249 port 80
>  rdr on ne3 proto tcp from any to xxx.xxx.xxx.0/24 port  1723 -> \
> 	yyy.yyy.yyy.250 port 1723
>  rdr on ne3 proto { tcp, udp } from any to xxx.xxx.xxx.0/24 port 53 -> \
> 	yyy.yyy.yyy.250 port 53
delete the above rule^^^^^
>
> # FILTER: the implicit first two rules are (used for testing...)
>  pass in all
>  pass out all
>
> # DNS ???
>  pass out on ne3 inet proto tcp from any to any port = 53 modulate state
>  pass out on ne3 inet proto udp from any to any port = 53 keep state
>
> # block in log all
>
>
> # allow incoming connections
>  pass  in on ne3 inet proto tcp from any to yyy.yyy.yyy.yyy port 1723 keep
> state
>  pass  in on ne3 inet proto gre from any to yyy.yyy.yyy.yyy keep state
>  pass out on ne3 inet proto gre from any to any keep state
>  pass  in on ne3 inet proto tcp from any to any port 22 keep state
>  pass out on ne3 inet proto { tcp, udp } all keep state
>
add this:
pass in on ne3 inet proto {udp,tcp} from any to any port = 53 keep state