Hello,
May be a newbie question...
Architecture:
Internet
PF firewall on FreeBSD 5.5
DNS server (bind 9)
I set up a standard set of rules.
DNS queries often work, 'pfctl -ss' displays:
self udp 192.134.0.49:53 <- 129.199.96.11:55186 MULTIPLE:MULTIPLE
self udp 129.199.96.11:55186 -> 192.134.0.49:53 MULTIPLE:MULTIPLE
But sometimes, I see:
. this packet from my network to an external nameserver:
14:13:45.446435 IP (tos 0x0, ttl 254, id 49592, offset 0, flags [DF],
length: 83) 129.199.96.11.55186 > 192.134.0.49.53: 3796 [1au] PTR?
198.182.77.84.in-addr.arpa. (55)
. and the answer is:
14:13:45.449574 IP (tos 0x0, ttl 58, id 29408, offset 0, flags [+],
length: 1500) 192.134.0.49.53 > 129.199.96.11.55186: 3796 NXDomain*- 0/6/6
(1472)
. and pf blocks:
14:13:45.449593 rule 0/0(match): block in on em1: IP 192.134.0.49.53 >
129.199.96.11.55186: 3796 NXDomain*- 0/6/6 (1472)
14:13:45.449602 rule 0/0(match): block in on em1: IP 192.134.0.49 >
129.199.96.11: udp
As far as I understand, packets are blocked when flags are [+]. Usual packets
have
flags [DF].
Of course, I can make things work with a rule like:
pass in quick on em1 from any to 129.199.96.11
But where is the trouble? Is there a better fix?
--
Jacques Beigbeder | [EMAIL PROTECTED]
Service de Prestations Informatiques | http://www.spi.ens.fr
Ecole normale supérieure |
45 rue d'Ulm |Tel : (+33 1)1 44 32 37 96
F75230 Paris cedex 05 |Fax : (+33 1)1 44 32 20 75
