Jonathan Rogers wrote:
My new OpenBSD 3.8/pf firewall setup seems now to mostly be doing what
it's supposed to. One lingering problem, though, that I just can't find
the source of. I'm getting occasional log messages like this (standard
tcpdump format):
Dec 18 05:55:43 rule 33/(match) block in on xl2: 192.168.3.2.34353 >
216.231.43.2.53: [|domain] (DF)
Okay, 192.168.3.2 is my Linux (2.4) web/email server, the only thing
connected to xl2; 216.231.43.2 is a name server in resolv.conf, and
"rule 33" is the final, default block rule at the bottom of the pf
ruleset.
The think I can't understand is that I'm explicitly passing this kind
of traffic:
pass in quick on $dmz_if inet proto tcp from 192.168.3.0/26 to any
port { 53 80 }
keep state flags S/SA label "pass in dmz->any!good"
..and the other thing that's odd is that *most* DNS traffic is going
through the firewall just fine...I can do a "dig" of a strange domain
name from the web server box and it happily resolves. It's only these
seemingly occasional messages like the one above that show something's
being blocked.
Clearly I'm missing something obvious. Help?
thanks -jon-
DNS is mainly udp traffic at least queries are because large DNS queries
can now spill over to TCP also. But mainly TCP is left for name server
to name server DNS transfers of domains.
--
http://www.digitalrage.org/
The Information Technology News Center
