Ok... I said screw it and completly re-did the config. I've got most of it working, but I'm still showing just a few weird things that's getting blocked now...
6 is my block in, 7 is my block out. All of the other DNS is working just fine... I just see port 53 in here a couple of times... ============================ 07:23:24.345466 rule 6/0(match): block in on dc1: 65.172.62.58.3973 > 65.31.108.206.3379: udp 12 07:23:24.502276 rule 6/0(match): block in on dc1: 65.172.62.140.1214 > 65.168.173.82.2805: udp 12 07:23:24.783620 rule 6/0(match): block in on dc1: 65.172.62.152.1024 > 198.77.116.8.53: 15534+ A? KRLK.direcpc.com. (46) 07:23:25.354632 rule 6/0(match): block in on dc1: 65.172.62.58.3973 > 65.25.23.239.1873: udp 12 07:23:25.404610 rule 7/0(match): block out on dc0: 213.67.113.237.3342 > 65.172.61.201.6346: S 3848218851:3848218851(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 07:23:25.413441 rule 6/0(match): block in on dc1: 65.172.62.140.1214 > 134.129.63.205.2672: udp 12 07:23:26.105551 rule 6/0(match): block in on dc1: 65.172.62.58.3777 > 62.195.38.112.2064: S 2594810045:2594810045(0) win 8760 <mss 1460,nop,nop,sackOK> (DF) 07:23:26.282313 rule 6/0(match): block in on dc1: 65.172.62.152.1024 > 198.77.116.8.53: 15534+ A? KRLK.direcpc.com. (46) 07:23:26.365464 rule 6/0(match): block in on dc1: 65.172.62.58.3973 > 65.27.244.188.1261: udp 12 07:23:26.522323 rule 6/0(match): block in on dc1: 65.172.62.140.1214 > 65.166.158.173.2239: udp 12 07:23:27.374891 rule 6/0(match): block in on dc1: 65.172.62.58.3973 > 65.30.166.133.2571: udp 12 07:23:27.482349 rule 6/0(match): block in on dc1: 65.172.62.140.1214 > 65.31.25.21.2886: udp 12 07:23:27.553453 rule 6/0(match): block in on dc1: 65.172.62.134.1709 > 172.145.107.136.3014: P 451548289:451548691(402) ack 14364311 win 9112 (DF) 07:23:28.374805 rule 6/0(match): block in on dc1: 65.172.62.58.3973 > 65.35.72.29.1519: udp 12 07:23:28.513473 rule 6/0(match): block in on dc1: 65.172.62.140.1214 > 65.171.14.29.1795: udp 12 07:23:28.602579 rule 6/0(match): block in on dc1: 65.172.62.134.1706 > 207.69.113.152.3607: P 450659155:450659527(372) ack 852793283 win 9112 (DF) 07:23:28.793476 rule 6/0(match): block in on dc1: 65.172.62.147.3086 > 205.188.179.233.5190: S 3584173258:3584173258(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 07:23:29.042444 rule 6/0(match): block in on dc1: 65.172.62.145.1145 > 64.12.161.153.5190: S 36704427:36704427(0) win 8192 <mss 536,nop,nop,sackOK> (DF) 07:23:29.365514 rule 6/0(match): block in on dc1: 65.172.62.58.3973 > 65.35.65.139.2063: udp 12 07:23:29.453323 rule 6/0(match): block in on dc1: 65.172.62.140.1214 > 216.98.72.126.1826: udp 12 ================================== -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jason Dixon Sent: Monday, December 16, 2002 9:52 PM To: PF Mailing List Subject: RE: Very Annoying problem... blocks everything... On Mon, 2002-12-16 at 22:46, Shawn Mitchell wrote: > on the "tcpdump -nettti pflog0" command, should everything match the last > two rules, which are: > > pass in log quick inet from any to any > pass out log quick inet from any to any No. You have a gazillion other "quick" rules in front of these. The first one that matches is going to force the action. That's why "quick" should be used very conservatively. Otherwise, last match wins. > They were block, but I changed them to pass so I could better see what's > going on with live traffic... Don't start changing your rules without monitoring your traffic. What kind of logged traffic are you seeing? We can't help you if you don't work with us. -J.
