At 10:21 10/30/2002 -0300, you wrote:
> "pass in on xl0 inet proto { tcp, udp } from any to any port 53"So,
Try:
pass in on xl0 inet proto {tcp, udp} from any to any port 53 keep state
"keep state" will mark packets for stateful feature, allowing packets
back (dns response). I block all tcp packet for port 53 because they
are just for domains transfer. On really, I just pass it for my
secondary dns servers.
On my 3.1 system, "keep state" is not keeping state correctly, so I
appended the following rule:
pass out on $EXT inet proto udp from any to any port 53 keep state
> Second question: ftp. I have seen different examples on how to treat ftp
> connections and the ftp-proxy. We need to have both incoming active+passive
> ftp and outgoing passive and again I'm unsure of how to treat ports >1023
> and 20.
Ports above 1024 are just for socket source, like your machine trying
to connect a web server. Take care about destination port, usually well
know services (20, 21, 22, 25, 80, 110, 443, etc).
pass in on xl0 inet proto {tcp, udp} from any to any port 53 keep state
pass out on xl0 inet proto {tcp, udp} from any to any port 53 keep state
should do the trick? But if I look at the dns queries from outside they are generated from port 53 to a high-numbered port and thus will be blocked with the above rules?
I suppose this is generally available information that I somehow did not pick up. However, fact remains that there is something more to the pf ruleset than what I am used to from ipf.
