Greetings,
My 3.7 firewall is holding up DNS requests. pflog suggests that my very
first rule, 'block log all' is stopping them.
Nov 11 02:11:48.853946 rule 0/(match) block in on xl0:
192.168.2.254.60399 > 68.12.16.229.53: 23554+[|domain] (DF)
Further down my rule set, however, exists the following rule:
pass out quick log on $ext_if proto udp all keep state
If I'm not mistaken, that rule should allow outgoing DNS requests on my
external interface, as well as the return packets.
Any suggestions on getting a "resolution" to this matter would be
appreciated. Thanks.
My /etc/pf.conf:
--------------------------------------------------
int_if = "re0" # 192.168.1.0/24
wir_if = "xl0" # 192.168.2.0/24
ext_if = "rl0" # DHCP
tcp_services = "{ 22, 993, 80 }"
icmp_types = "echoreq"
set block-policy return
set loginterface $ext_if
scrub in all
nat on $ext_if from 192.168.1.0/24 to any -> ($ext_if)
nat on $ext_if from 192.168.2.0/24 to any -> ($ext_if)
block log all
pass quick on lo0 all
antispoof quick for $int_if inet
pass in on $wir_if inet proto tcp from any to ($wir_if) port
$tcp_services flags S/SA keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out quick log on $ext_if proto udp all keep state
pass out quick log on $ext_if proto icmp all keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
