On 2011/12/06 03:33, Steven Chamberlain wrote:
> > # DNS dns
> > pass in on $ext_if proto { TCP, UDP } from any to $my_ip port 53 keep state
>
> Come to think of it, you've put all the protocol names in upper case.
> In all the PF example rulesets I've seen, they are written in lower
> case. Does that matter?
No, it doesn't matter.
> If your hosts only handle light network traffic right now, you could
> change your 'block all' to a 'block all log' and watch what happens in
> 'tcpdump -nni pflog0', while you try to reproduce the problem with NSD.
Good advice (or sprinkle some "log" in the relevant pass rules).
Or putting 'match log (matches) inet proto {tcp,udp} to port 53' at the
top of the ruleset and watching with tcpdump might be informative.
I would add -e to the tcpdump line, it's far more informative -
changes from this:
10:04:49.190430 10.15.7.8.19770 > 10.15.7.53.53: 65195+[|domain]
to this:
10:04:54.129244 rule 0/(match) match out on trunk0: 10.15.7.8.26415 >
10.15.7.53.53: 41211+[|domain]
> Otherwise, take a look at the 'pfctl -vsr' packet and byte counters, to
> see whether your 'pass out' rules are really matching.
The counters in pfctl -si are worth a look too. It might also be
worth watching "route -n monitor".
