Hello Everyone;
dmz_ip="192.168.1.1"
dmz_block="192.168.1.0/24"
#DNS 1
scarlett="192.168.1.2"
pub_scarlett="64.142.102.9"
#DNS 2
shelly="192.168.1.3"
pub_shelly="64.142.102.10"
#WWW 1
www_ip="192.168.1.4"
pub_www="64.142.102.11"
#Normalizing
scrub in all
#NAT and Binat
nat on rl0 from $int_block to any -> $ext_ip
binat on rl0 from $scarlett to any -> $pub_scarlett
binat on rl0 from $shelly to any -> $pub_shelly
binat on rl0 from $www_ip to any -> $pub_www
#Redirection
rdr on rl1 proto tcp from any to $pub_www port 80 -> $www_ip
#Default block policy
block all
#Anti-spoofing
block in quick from urpf-failed
#vr0 traffic
pass in on vr0 proto tcp from $int_block to any port 6112
pass in on vr0 proto tcp from $int_block to any port 80
pass in on vr0 proto tcp from $int_block to 207.212.58.16
pass in on vr0 proto tcp from $int_block to any port 443
pass in on vr0 proto tcp from $int_block to any port 5190
pass in on vr0 proto { udp, icmp } from $int_block to any
#pass in all
#pass out all
#rl1 traffic
pass in on rl1 proto { tcp, udp } from $dmz_block port 1024:65535 to any
port 53
pass in on rl1 proto icmp from $scarlett to any
pass in on rl1 proto tcp from $www_ip to any port 80
pass in on rl1 proto { udp, icmp } from $www_ip to any
#rl0 traffic
pass out on rl0 proto { tcp, udp, icmp } all modulate state
# ifconfig -A
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:50:bf:3a:2e:66
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 64.142.102.8 netmask 0xffffff00 broadcast 64.142.102.255
inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1
inet 64.142.102.9 netmask 0xffffffff broadcast 64.142.102.9
inet 64.142.102.10 netmask 0xffffffff broadcast 64.142.102.10
inet 64.142.102.11 netmask 0xffffffff broadcast 64.142.102.11
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:13:46:30:0b:b2
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::213:46ff:fe30:bb2%rl1 prefixlen 64 scopeid 0x2
I'm currently running DJBDNS 1.05 and cannot resolve my NS records
whenever my PF firewall is on a default blocking policy. The commened
line, rl1 traffic, contains the pass rule for any DNS traffic, but, even
with that line, I cannot resolve the NS records.
Whenever the pass in all and pass out all rules are set and loaded, DNS
resolves just fine so it would seem that, somewhere in my rules, a
problem exists. Anyone who is familiar with PF or DNS and has a thought
on how to solve this problem, their input is much appreciated.
Thank you;
Bray.