On Sat, Apr 22, 2006 at 03:37:35PM -0700, Allie Daneman wrote: > Apr 22 14:53:52.935466 rule 18/(match) pass out on xl0: 24.XX.XX.X.50599 > > 216.XXX.XX.XX.53: [|domain] > Apr 22 14:53:53.015842 rule 13/(match) block in on xl0: 216.XXX.XX.XX.61144 > > 24.XX.XX.X.50599: udp 116 [tos 0x20]
The query is to port 53, but the reply isn't coming from port 53, but from port 61144. I think that's technically legal for DNS, but has become mostly an obscurity today, because it breaks on almost any firewall (not just pf). I.e. most DNS servers don't do that anymore, and you have found one that still does. I don't know why it was made legal in the first place, maybe an existing vendor insisted that he couldn't afford to modify his unmaintainable code to do a bind(2) call ;) There's no way to match that reply to the state entry (as matching is based on port numbers), so you'd have to basically pass all such replies in statelessly (opening UDP up wide open). Or just screw that DNS server. Daniel