My new OpenBSD 3.8/pf firewall setup seems now to mostly be doing what it's supposed to. One lingering problem, though, that I just can't find the source of. I'm getting occasional log messages like this (standard tcpdump format):
Dec 18 05:55:43 rule 33/(match) block in on xl2: 192.168.3.2.34353 > 216.231.43.2.53: [|domain] (DF) Okay, 192.168.3.2 is my Linux (2.4) web/email server, the only thing connected to xl2; 216.231.43.2 is a name server in resolv.conf, and "rule 33" is the final, default block rule at the bottom of the pf ruleset. The think I can't understand is that I'm explicitly passing this kind of traffic: pass in quick on $dmz_if inet proto tcp from 192.168.3.0/26 to any port { 53 80 } keep state flags S/SA label "pass in dmz->any!good" ..and the other thing that's odd is that *most* DNS traffic is going through the firewall just fine...I can do a "dig" of a strange domain name from the web server box and it happily resolves. It's only these seemingly occasional messages like the one above that show something's being blocked. Clearly I'm missing something obvious. Help? thanks -jon-