more on my question : DNS answers blocked?

[Jacques Beigbeder]

Hello,

Yesterday, my mail wasn't explicit. Sorry.

Architecture:
        Internet
        PF firewall on FreeBSD 5.5
        DNS server (bind 9)
This is now a firewall in production: DNS host has 100 packets per second,
there is a mail server with 700.000 smtp hits per day, 'pfctl -si' shows
between 4000 and 8000 state entries during the day.

Here is a more complete trace, thanks to script(1) and screen(1).

. at 08:40:00, I set up the smallest rule:

        # date ; pfctl -f /etc/pf/test.conf
        Tue Mar  6 08:40:00 MET 2007
        No ALTQ support in kernel
        ALTQ related functions disabled

        # pfctl -sr
        block drop in log all
        pass out on em0 all keep state
        pass out on em1 all keep state
        pass in on em0 all flags S/SA keep state
        pass in on em1 all flags S/SA keep state

. at 08:40:10, 2 packets are blocked:

        # tcpdump -eni pflog0 host 192.134.0.49
        08:40:10.848258 rule 0/0(match): block in on em1: IP 192.134.0.49.53 > 
129.199.96.11.55186:  47029 NXDomain*-[|domain]
        08:40:10.848266 rule 0/0(match): block in on em1: IP 192.134.0.49 > 
129.199.96.11: udp

. but the flow is opened:

        # pfctl -ss | grep 192.134.0.49
        self udp 192.134.0.49:53 <- 129.199.96.11:55186       MULTIPLE:MULTIPLE
        self udp 129.199.96.11:55186 -> 192.134.0.49:53       MULTIPLE:MULTIPLE

. and here is tcpdump before the firewall:

        # tcpdump -i em1 host 192.134.0.49
        08:39:50.901802 IP 129.199.96.11.55186 > 192.134.0.49.53:  33752 [1au] 
A? bancoedwards.cl. (44)
        08:39:50.903939 IP 192.134.0.49.53 > 129.199.96.11.55186:  33752- 0/2/3 
(125)
        08:39:52.150305 IP 129.199.96.11.55186 > 192.134.0.49.53:  53112 [1au] 
PTR? 8.101.224.88.in-addr.arpa. (54)
        08:39:52.153941 IP 192.134.0.49.53 > 129.199.96.11.55186:  53112 
NXDomain*- 0/6/6 (1472)
        08:39:52.153945 IP 192.134.0.49 > 129.199.96.11: udp
        08:39:56.164523 IP 129.199.96.11.55186 > 192.134.0.49.53:  43684 [1au] 
PTR? 176.195.118.88.in-addr.arpa. (56)
        08:39:56.178153 IP 192.134.0.49.53 > 129.199.96.11.55186:  43684 
NXDomain*- 0/6/6 (1472)
        08:39:56.178158 IP 192.134.0.49 > 129.199.96.11: udp
   -------
   so before 08:40:00, there is traffic. See 'pfctl -ss' upper.
   And now the blocked packet:
   -------
   the DNS query (em0 to em1):
        08:40:10.844354 IP 129.199.96.11.55186 > 192.134.0.49.53:  47029 [1au] 
PTR? 187.239.91.81.in-addr.arpa. (55)
   the answer (em1 to em0):
        08:40:10.848241 IP 192.134.0.49.53 > 129.199.96.11.55186:  47029 
NXDomain*- 0/6/6 (1472)
        08:40:10.848246 IP 192.134.0.49 > 129.199.96.11: udp 

. here more details on blocked packets (tcpdump -n -v -i em1 host 192.134.0.49):
        09:41:06.492426 IP (tos 0x0, ttl  58, id 34397, offset 0, flags [+], 
length: 1500)
                192.134.0.49.53 > 129.199.96.11.57617:  5828 NXDomain*- 0/6/6 
(1472)
        09:41:06.492551 IP (tos 0x0, ttl  58, id 34397, offset 1480, flags 
[none],
                length: 458) 192.134.0.49 > 129.199.96.11: udp

. adding the rule:
        pass in quick on em1 inet from any to 129.199.96.11
  solves the problem.

So, where is the problem?
Is there a better fix than my rule?

--
Jacques Beigbeder                    |  [EMAIL PROTECTED]
Service de Prestations Informatiques |     http://www.spi.ens.fr
Ecole normale supérieure             |
45 rue d'Ulm                         |Tel : (+33 1)1 44 32 37 96
F75230 Paris cedex 05                |Fax : (+33 1)1 44 32 20 75