On Thu, Nov 18, 2010 at 07:55:14PM +0100, Harald Weis wrote: > On Thu, Nov 18, 2010 at 09:25:48AM -0700, Joseph S. Dietz, Jr. wrote: > > Your issue is not with Ping aka ICMP but with DNS... > > > > Try some of these... > > > > pass in quick proto tcp/udp from any port = 53 to your-dns-server port > > > 1023 > > Yes, that works. This is beautiful. I have added one single line: > > pass in quick proto udp from any port = 53 to $myip port > 1023 > > And I see that the reply to ping does not come from the ISP's > official DNS server but from another one. I can guess the reason.
No it does not work. Ping works, but not the rest, e.g. http et cetera. In the meantime I have shamefully realized that I have completely overlooked the fact that my desktop computer (configured with two Ethernet interfaces) works perfectly since ages with exactly the same firewall (without the above 'pass in' rule) at the same physical level of the router as the laptop. The router has five Ethernet outlets allowing the connection of five PC's. All outlets seem to be totally equivalent. Why does the same set of rules not work for the laptop? Mystery. I repeat that the set of rules is strictly identical, with the obvious exception of the interface names. For memory, the icmp protocol gets blocked by bad packets like this: 18/11/2010 11:16:17.129620 fxp0 @0:23 b 212.27.40.241,53 -> 192.168.0.111,21048 PR udp len 20 203 IN bad And the http protocol gets blocked by bad packets like this: 18/11/2010 20:39:41.371115 fxp0 @0:24 b 195.71.11.67,80 -> 192.168.0.111,36923 PR tcp len 20 60 -AS IN bad I also recall that all 'pass out' rules have 'flags S/FSRPAU keep state' set. Thanks in advance, Harald Weis
