> So,
> pass in on xl0 inet proto {tcp, udp} from any to any port 53 keep state
> pass out on xl0 inet proto {tcp, udp} from any to any port 53 keep state
> should do the trick? But if I look at the dns queries from outside they are
> generated from port 53 to a high-numbered port and thus will be blocked
> with the above rules?
Don't look at source packet, but destination. In these you can see
port 53, where name service runs.
[root@goku:root]# tcpdump -i eth0 -n port 53
tcpdump: listening on eth0
13:34:35.922231 146.250.147.127.1030 > 146.250.158.238.53: 46641+ A?
helio.loureiro.eng.br. (39) (DF)
13:34:35.929837 146.250.158.238.53 > 146.250.147.127.1030: 46641 2/5/4
CNAME[|domain] (DF)
Here you can see a tcpdump from my Linux laptop (yes, Linux), where I
started a "nslookup". My machine, 146.250.147.127, started connection
from port 1030 (any free port above 1024) to dns server,
146.250.158.238, port 53.
> I suppose this is generally available information that I somehow did not
> pick up. However, fact remains that there is something more to the pf
> ruleset than what I am used to from ipf.
How I said, "keep state" looks like not working properly, so you can
add just a rule for outgoing packets.
--
Hélio Alexandre Lopes Loureiro [[EMAIL PROTECTED]]
Regional Software Supply & Integration
South America
Tel.: + 55 11 6224-1795
Public Key ID: FB5972D1@http://search.keyserver.net
