On Sat, Apr 13, 2024 at 09:32:48PM +0200, Karel Lucas wrote:
> What should I add then, considering my PF ruleset? To be honest, all of this
> is very unclear to me at the moment, so any help is appreciated.
How about:
pass out inet proto { tcp, udp } from any to any port { 53, 853 } keep state
pass out inet6 proto { tcp, udp } from any to any port { 53, 853 } keep state
see if that will do it for you. You have a service called "domain" in your
rules but it's only a macro/alias and not active
Also if I remember it right (without looking) traceroute defaults to UDP mode
by default, with ports (32768 + 666) + (every "*" in every hop counting as 1)
so depending on how many hops outbound you want to traceroute you'll have to
open those udp ports outbound.
Of course you can be like windows and do traceroute -P1 to traceroute with
ICMP.
Remember, from your basic networking texts that each hop decrements (-1) the
time to live, or the hop count. When a router encounters an IP[46] packet
that would decrement to 0 it will not get forwarded and will reply an ICMP
time exceeded message aka timex reply.
Please familiarize yourself with tcpdump and for learning purposes wireshark
and really analyze the packet headers with RFC's 791, 792, 8200 found at
https://rfc-editor.org.
Best of Luck!
-pjp
> Op 13-04-2024 om 02:39 schreef Alexis:
> >
> > Karel Lucas <[email protected]> writes:
> >
> > > Ping only works partially. For example, this works: ping -c 10
> > > 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I
> > > suspect this has to do with DNS servers, but I don't know where to
> > > start troubleshooting.
> >
> > Indeed, you appear to have no rules allowing outgoing requests to DNS
> > servers for name resolution.
> >
> >
> > Alexis.
> >
>
--
my associated domains: callpeter.tel|centroid.eu|dtschland.eu|mainrechner.de
