DNS and PF

Sun, 17 Jun 2007 13:46:03 -0700 

Hello Everyone;

dmz_ip="192.168.1.1"
dmz_block="192.168.1.0/24"
#DNS 1
scarlett="192.168.1.2"
pub_scarlett="64.142.102.9"
#DNS 2
shelly="192.168.1.3"
pub_shelly="64.142.102.10"
#WWW 1
www_ip="192.168.1.4"
pub_www="64.142.102.11"


#Normalizing
scrub in all

#NAT and Binat
nat on rl0 from $int_block to any -> $ext_ip
binat on rl0 from $scarlett to any -> $pub_scarlett
binat on rl0 from $shelly to any -> $pub_shelly
binat on rl0 from $www_ip to any -> $pub_www

#Redirection
rdr on rl1 proto tcp from any to $pub_www port 80 -> $www_ip

#Default block policy
block all

#Anti-spoofing
block in quick from urpf-failed

#vr0 traffic
pass in on vr0 proto tcp from $int_block to any port 6112
pass in on vr0 proto tcp from $int_block to any port 80
pass in on vr0 proto tcp from $int_block to 207.212.58.16
pass in on vr0 proto tcp from $int_block to any port 443
pass in on vr0 proto tcp from $int_block to any port 5190
pass in on vr0 proto { udp, icmp } from $int_block to any

#pass in all
#pass out all

#rl1 traffic
pass in on rl1 proto { tcp, udp } from $dmz_block port 1024:65535 to any port 53 
pass in on rl1 proto icmp from $scarlett to any
pass in on rl1 proto tcp from $www_ip to any port 80
pass in on rl1 proto { udp, icmp } from $www_ip to any

#rl0 traffic
pass out on rl0 proto { tcp, udp, icmp } all modulate state


# ifconfig -A
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       lladdr 00:50:bf:3a:2e:66
       groups: egress
       media: Ethernet autoselect (100baseTX full-duplex)
       status: active
       inet 64.142.102.8 netmask 0xffffff00 broadcast 64.142.102.255
       inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1
       inet 64.142.102.9 netmask 0xffffffff broadcast 64.142.102.9
       inet 64.142.102.10 netmask 0xffffffff broadcast 64.142.102.10
       inet 64.142.102.11 netmask 0xffffffff broadcast 64.142.102.11
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       lladdr 00:13:46:30:0b:b2
       media: Ethernet autoselect (100baseTX full-duplex)
       status: active
       inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
       inet6 fe80::213:46ff:fe30:bb2%rl1 prefixlen 64 scopeid 0x2
I'm currently running DJBDNS 1.05 and cannot resolve my NS records whenever my PF firewall is on a default blocking policy. The commened line, rl1 traffic, contains the pass rule for any DNS traffic, but, even with that line, I cannot resolve the NS records. Whenever the pass in all and pass out all rules are set and loaded, DNS resolves just fine so it would seem that, somewhere in my rules, a problem exists. Anyone who is familiar with PF or DNS and has a thought on how to solve this problem, their input is much appreciated. 

Thank you;
Bray.

Reply via email to