> "pass in on xl0 inet proto { tcp, udp } from any to any port 53"
Try:
pass in on xl0 inet proto {tcp, udp} from any to any port 53 keep state
"keep state" will mark packets for stateful feature, allowing packets
back (dns response). I block all tcp packet for port 53 because they
are just for domains transfer. On really, I just pass it for my
secondary dns servers.
On my 3.1 system, "keep state" is not keeping state correctly, so I
appended the following rule:
pass out on $EXT inet proto udp from any to any port 53 keep state
> Second question: ftp. I have seen different examples on how to treat ftp
> connections and the ftp-proxy. We need to have both incoming active+passive
> ftp and outgoing passive and again I'm unsure of how to treat ports >1023
> and 20.
Ports above 1024 are just for socket source, like your machine trying
to connect a web server. Take care about destination port, usually well
know services (20, 21, 22, 25, 80, 110, 443, etc).
--
Hélio Alexandre Lopes Loureiro [[EMAIL PROTECTED]]
Regional Software Supply & Integration
South America
Tel.: + 55 11 6224-1795
Public Key ID: FB5972D1@http://search.keyserver.net
