[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PF udp not keeping state.
- To: OpenBSD Misc <misc@openbsd.org>
- Subject: PF udp not keeping state.
- From: Jan Johansson <janj-openbsd@wenf.org>
- Date: Sun, 3 Mar 2002 15:38:37 +0100
- Content-Disposition: inline
- User-Agent: Mutt/1.2.5.1i
I have noticed alot of DNS traffic that does not seem to keep
state and wounder if it is me, PF or DNS that is drunk, so if
anyone can explain this I would be happy. I have tried setting up
a local bind with forwarders but that only changed the port
number on my machine.
System is 3.0-stable.
Example log line
Without named.
rule 5/0(match): block in on xl0: 10.0.0.1.53 >
217.208.XX.XX.59397: 59559 ServFail 0/0/0 (43)
With named.
rule 5/0(match): block in on xl0: 10.0.0.2.53 >
217.208.XX.XX.53: 45862 ServFail 0/0/0 (32)
/etc/pf.conf
# $OpenBSD: pf.conf,v 1.2 2001/06/26 22:58:31 smart Exp $
#
# See pf.conf(5) for syntax and examples
ExtIf="xl0"
IntIf="fxp0"
# Clean packets.
scrub in on $ExtIf all
# Block
block in log all
block out log all
block return-rst in log proto tcp all
block return-rst out log proto tcp all
block return-icmp in log proto udp all
block return-icmp out log proto udp all
# Loopback
pass in on lo0 all
pass out on lo0 all
# Localnet
pass in on $IntIf from 192.168.???.0/24 to any
pass out on $IntIf from any to 192.168.???.0/24
# ICMP
# Port unreachable
pass in on $ExtIf inet proto icmp all icmp-type 3 code 3 keep
state
pass out on $ExtIf inet proto icmp all icmp-type 3 code 3 keep
state
# Ping
pass in on $ExtIf inet proto icmp all icmp-type 8 code 0 keep
state
pass out on $ExtIf inet proto icmp all icmp-type 8 code 0 keep
state
# UDP
pass in on $ExtIf proto udp from any port = 7000 to any
pass out on $ExtIf proto udp all keep state
# TCP
pass in on $ExtIf proto tcp from any to any port { http, ident,
smtp, ssh }
pass out on $ExtIf proto tcp all keep state