> ns.foo.bar is a dns slave that makes AXFR zone transfer from my server > (mybox). Why is the traffic > blocked on the first lines? What kind of traffic is that? Perhaps I > don't understand DNS fully, > but I thought zone transfers were made using TCP only, and ordinary > queries UDP.
Zone transfers are TCP. My guess is that the first 3 lines of the dump refer to a preliminary UDP SOA query. It's not clear from the information you've provided why this is being blocked though. > Here's the relevant part of my pf config: Other bits of pf.conf might be relevant. > # tcpdump -a -e -o -ttt -i pflog0 No need to complicate things - try tcpdump -enttti pflog0 -s 1500 Why? Name resolution might be misleading, OS fingerprint is a guess, and the [|proto] in your captures indicates you're truncating some information. SteveW
