Hello, Thank you for your help but if we configured following ruleset for tcp/udp port 53 on the primary, DNS isn't working anymore at all:
pass in on $ext_if inet proto tcp from any to PRIMARY port 53 no state pass in on $ext_if inet proto udp from any to PRIMARY port 53 no state pass out on $ext_if inet proto tcp from PRIMARY to any port 53 no state pass out on $ext_if inet proto udp from PRIMARY to any port 53 no state Please , can you help us to find the right ruleset? Thank you SC)bastien Maerker -- SC)bastien Maerker Continum AG Bismarckallee 7b-d 79098 Freiburg i. Br. Tel. +49 761 217 111-77 Fax. +49 761 217 111-99 http://www.continum.net Sitz der Gesellschaft: Freiburg im Breisgau Registergericht: Amtsgericht Freiburg, HRB 6866 Vorstand: Rolf Mathis, Volker T. Mueller Vorsitzender d. Aufsichtsrats: Prof. Dr. Karl-F. Fischbach ----- UrsprC<ngliche Mail ----- Von: "Steven Chamberlain" <[email protected]> An: "Sebastien Maerker, Continum" <[email protected]> CC: "Stuart Henderson" <[email protected]>, [email protected] Gesendet: Donnerstag, 8. Dezember 2011 16:30:56 Betreff: Re: Problems with OpenBSD 5.0 and PF On 08/12/11 12:01, Sebastien Maerker, Continum wrote: > Another idea from us is: > Is it possible running a ruleset for port 53 udp/tcp and in/out completely > stateless? Hi, I agree it seems strange to keep state for the 'stateless' DNS UDP protocol. I would be concerned at how easily an attacker could exhaust the state table by making many queries from randomised source ports and potentially many IPs (a large botnet, or spoofed). If -- worst case -- someone were able to saturate a 1Gbps link with small DNS queries, say 96 bytes each with the Ethernet overheads included, that's about 1.3m pps. With a 10 second expiry, a state table of 2^24 = 16777216 entries would still cover it. It should still be very fast, needing at most 24 matches to locate an entry, but I guess it would require a lot of memory. (I also wonder if keeping state for IPv6 requires more memory still -- and limiting the max. number of states per address would be impractical for IPv6). I would always keep state for tcp. If you choose not to keep state for udp queries: pass in on $ext_if inet proto udp from any to PRIMARY port 53 no state pass out on $ext_if inet proto udp from PRIMARY to any port 53 no state Remember that any ICMP errors related to this traffic would be blocked unless you go back to something like what you had before (I don't know if your list of icmp-types is ideal, but probably covers the ones needed) : pass in on $ext_if inet proto ICMP all icmp-type { 0, 3, 8, 11, 30 } pass out on $ext_if inet proto ICMP all icmp-type { 0, 3, 8, 11, 30 } Regards, -- Steven Chamberlain [email protected]
