Hello, Thank you very much for your replies to our problem with OpenBSD 5.0 and PF. We cleaned up our ruleset on both servers but the problem ist still present.
We have already tested the "block log all" and "tcpdump -nnei pflog0" with activated PF on the primary, but we saw nothing/nothing was logged. This is why we assume that it could be an issue and/or bug from PF and/or OpenBSD 5.0. Any more hint to solve the problem is greatly appreciated. Thank you in advance SC)bastien Maerker -- SC)bastien Maerker Continum AG Bismarckallee 7b-d 79098 Freiburg i. Br. Tel. +49 761 217 111-77 Fax. +49 761 217 111-99 http://www.continum.net Sitz der Gesellschaft: Freiburg im Breisgau Registergericht: Amtsgericht Freiburg, HRB 6866 Vorstand: Rolf Mathis, Volker T. Mueller Vorsitzender d. Aufsichtsrats: Prof. Dr. Karl-F. Fischbach ----- UrsprC<ngliche Mail ----- Von: "Stuart Henderson" <[email protected]> An: "Steven Chamberlain" <[email protected]> CC: "Sebastien Maerker, Continum" <[email protected]>, [email protected], "V. T. Mueller, Continum" <[email protected]> Gesendet: Dienstag, 6. Dezember 2011 12:26:35 Betreff: Re: Problems with OpenBSD 5.0 and PF On 2011/12/06 03:33, Steven Chamberlain wrote: > > # DNS dns > > pass in on $ext_if proto { TCP, UDP } from any to $my_ip port 53 keep state > > Come to think of it, you've put all the protocol names in upper case. > In all the PF example rulesets I've seen, they are written in lower > case. Does that matter? No, it doesn't matter. > If your hosts only handle light network traffic right now, you could > change your 'block all' to a 'block all log' and watch what happens in > 'tcpdump -nni pflog0', while you try to reproduce the problem with NSD. Good advice (or sprinkle some "log" in the relevant pass rules). Or putting 'match log (matches) inet proto {tcp,udp} to port 53' at the top of the ruleset and watching with tcpdump might be informative. I would add -e to the tcpdump line, it's far more informative - changes from this: 10:04:49.190430 10.15.7.8.19770 > 10.15.7.53.53: 65195+[|domain] to this: 10:04:54.129244 rule 0/(match) match out on trunk0: 10.15.7.8.26415 > 10.15.7.53.53: 41211+[|domain] > Otherwise, take a look at the 'pfctl -vsr' packet and byte counters, to > see whether your 'pass out' rules are really matching. The counters in pfctl -si are worth a look too. It might also be worth watching "route -n monitor".
