Re: Help! pf.conf

["Ram" <fblarbastanix@yahoo.com>]

If you are passing DNS out through your packet filtering firewall - you
need to let it back in as well.

DNS uses 53/UDP and 53/TCP

If the OBSD box is a FW consider running a caching DNS server on the box
itself - it would server DNS inside your network and go out to the
Internet when necessary. Cleaner [no direct communication between yoru
private hosts and the big bad wild 'net] and often faster [caching
responses locally].

regards,
ram




-----Original Message-----
From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org] On Behalf
Of Jenkins, Curtis
Sent: Tuesday, March 12, 2002 11:02
To: misc@openbsd.org
Subject: Help! pf.conf

Hi,

I'm new to OpenBSD, been working with it for two months trying to figure
it
out. Got as far as every thing working exsept for pf.conf rules. It
passes
data but will not resolve dns. I have my ISP dns server as the dns
server to
use. I have gone through all the man, faq pages and even sherch Google
for
info, that is how I got this far. I need to know if any can see anything
wrong with my pf.conf file. I did it the long way for now, will compack
it
later wance I know more about it.

Thanks

Ext = "de0"	#External Interface
Int = "de1"	#Internal Interface

#Normalization of packets
scrub in all

#Don't let anyone spoof non-routable addresses
block in quick on $Ext inet from 127.0.0.0/8 to any
block in quick on $Ext inet from 192.168.0.0/16 to any
block in quick on $Ext inet from 172.16.0.0/12 to any
block in quick on $Ext inet from 10.0.0.0/8 to any
block out quick on $Ext inet from any to 127.0.0.0/8
block out quick on $Ext inet from any to 192.168.0.0/16
block out quick on $Ext inet from any to 172.16.0.0/12
block out quick on $Ext inet from any to 10.0.0.0/8

#Lock down with defalt deny
block in quick on $Ext inet from any to any

#Let internal network traffic out
pass out on $Ext inet from any to any keep state