> So, > pass in on xl0 inet proto {tcp, udp} from any to any port 53 keep state > pass out on xl0 inet proto {tcp, udp} from any to any port 53 keep state > should do the trick? But if I look at the dns queries from outside they are > generated from port 53 to a high-numbered port and thus will be blocked > with the above rules?
Don't look at source packet, but destination. In these you can see port 53, where name service runs. [root@goku:root]# tcpdump -i eth0 -n port 53 tcpdump: listening on eth0 13:34:35.922231 146.250.147.127.1030 > 146.250.158.238.53: 46641+ A? helio.loureiro.eng.br. (39) (DF) 13:34:35.929837 146.250.158.238.53 > 146.250.147.127.1030: 46641 2/5/4 CNAME[|domain] (DF) Here you can see a tcpdump from my Linux laptop (yes, Linux), where I started a "nslookup". My machine, 146.250.147.127, started connection from port 1030 (any free port above 1024) to dns server, 146.250.158.238, port 53. > I suppose this is generally available information that I somehow did not > pick up. However, fact remains that there is something more to the pf > ruleset than what I am used to from ipf. How I said, "keep state" looks like not working properly, so you can add just a rule for outgoing packets. -- Hélio Alexandre Lopes Loureiro [[EMAIL PROTECTED]] Regional Software Supply & Integration South America Tel.: + 55 11 6224-1795 Public Key ID: FB5972D1@http://search.keyserver.net