[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf firewall rules, dns lookup not working

To: kjell@pintday.org
Subject: Re: pf firewall rules, dns lookup not working
From: Jason Hammerschmidt <Jason.Hammerschmidt@maclaren.com>
Date: Thu, 14 Mar 2002 14:32:53 -0500
Cc: misc@openbsd.org
Organization: MacLaren McCann Interactive
References: <7197E06354F69F1585256B7C006A7A2B.006A780985256B7C@maclaren.com>

> You can probably tweak the udp state timeout parameters. I suspect
> your nameserver is a bit slow. That, or it is doing something strange
> (not replying from port 53, perhaps?)
Well I know it's replying on port 53 because it works if I use these 
lines:
#Allow our machines to lookup stuff
pass in quick on $int_if proto udp from $network_ips to $dns_servers 
port 53
pass in quick on $int_if proto tcp from $network_ips to $dns_servers 
port 53
pass in quick on $ext_if proto udp from $dns_servers port 53 to 
$network_ips
pass in quick on $ext_if proto tcp from $dns_servers port 53 to 
$network_ips


How do I tweak udp state timeouts?  They should be set to something 
high by default, surely not in the <10 seconds range.  Any DNS request 
taking that long would be suicide.

> Why not add:
>
> antispoof = "{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
> 127.0.0.0/8, 0.0.0.0/8, 224.0.0.0/3, 204.152.64.0/23,  169.254.0.0/16
> }"
>
> and simplify your rules a bit? ie
>
>  block in log quick from $antispoof to any
cause that would just be the better way! c'mon now.

Prev by Date: Re: pf firewall rules, dns lookup not working
Next by Date: San Francisco OpenBSD User Group Meeting (tonight)
Prev by thread: Re: pf firewall rules, dns lookup not working
Next by thread: Throughput with large ruleset
Index(es):
- Date
- Thread