Jonathan Rogers wrote:
DNS primarily goes over UDP. You need to open up udp/53.
Again, I opened up both TCP and UDP ports, but the effect was the same.
In any case, refer back to the original posting - the blocked packet
from the tcpdump shown is clearly of a TCP packet (it would say "UDP"
at the end otherwise).
the first question still stands...
Just to check, you say you opened the port for UDP but you don't say
whether you added udp to the rule so it would say:
pass in quick on $dmz_if inet proto { tcp udp } from 192.168.3.0/26 \
to any port { 53 80 } keep state flags S/SA \
label "pass in dmz->any!good"
Only other thing I can think of is whether when logging, is the rule
number referring to the number of the rule as counted in pf.conf, or the
number of the rule once the ruleset has been expanded - I'm not sure
about that one.
And the entire rules set would be helpful.
