On Thu, Nov 18, 2010 at 09:25:48AM -0700, Joseph S. Dietz, Jr. wrote: > Your issue is not with Ping aka ICMP but with DNS... > > Try some of these... > > pass in quick proto tcp/udp from any port = 53 to your-dns-server port > > 1023
Yes, that works. This is beautiful. I have added one single line: pass in quick proto udp from any port = 53 to $myip port > 1023 And I see that the reply to ping does not come from the ISP's official DNS server but from another one. I can guess the reason. Thank you very much indeed. Harald Weis > pass in quick proto tcp/udp from any port > 1023 to your-dns-server port > = 53 > pass in quick proto tcp/udp from any port > 1023 to your-dns-server port > = 53 > > # you probably don't need this based on the fact the your request is > getting out... > pass out quick proto tcp/udp from your-dns-server to any port = 53 > > Note that there is no logging simply because the amount of traffic is > too high... > > > Harald Weis wrote: > >Has anybody configured a firewall behind an ISP router ? > > > >My IPF rules contain: > >@3 pass out quick on fxp0 proto tcp from any to 212.27.40.241/32 port = > >domain flags S/FSRPAU keep state > >@4 pass out quick on fxp0 proto udp from any to 212.27.40.241/32 port = > >domain keep state > >@5 pass out quick on fxp0 proto tcp from any to 212.27.40.240/32 port = > >domain flags S/FSRPAU keep state > >@6 pass out quick on fxp0 proto udp from any to 212.27.40.240/32 port = > >domain keep state > > > >When running "ping www.freebsd.org" the DNS servers reply with "bad" > >packets like so: > >18/11/2010 11:16:12.075987 fxp0 @0:23 b 212.27.40.240,53 -> > >192.168.0.111,43124 PR udp len 20 203 IN bad > >18/11/2010 11:16:17.129620 fxp0 @0:23 b 212.27.40.241,53 -> > >192.168.0.111,21048 PR udp len 20 203 IN bad > >18/11/2010 11:16:19.074905 fxp0 @0:23 b 212.27.40.240,53 -> > >192.168.0.111,43124 PR udp len 20 80 IN bad > >18/11/2010 11:16:29.074863 fxp0 @0:23 b 212.27.40.241,53 -> > >192.168.0.111,21048 PR udp len 20 80 IN bad > > > >Running "ping <IP address of www.freebsd.org>" is OK. > > > >I cannot find out the meaning of "bad" and whether the problem is in the > >rooter or in my "inclusive" firewall. > >Please note that my firewall works fine with ISP modems. > > > >Thanks in advance for any help. > >Harald Weis > > > > > > -- Harald Weis
