Hello, Yesterday, my mail wasn't explicit. Sorry.
Architecture: Internet PF firewall on FreeBSD 5.5 DNS server (bind 9) This is now a firewall in production: DNS host has 100 packets per second, there is a mail server with 700.000 smtp hits per day, 'pfctl -si' shows between 4000 and 8000 state entries during the day. Here is a more complete trace, thanks to script(1) and screen(1). . at 08:40:00, I set up the smallest rule: # date ; pfctl -f /etc/pf/test.conf Tue Mar 6 08:40:00 MET 2007 No ALTQ support in kernel ALTQ related functions disabled # pfctl -sr block drop in log all pass out on em0 all keep state pass out on em1 all keep state pass in on em0 all flags S/SA keep state pass in on em1 all flags S/SA keep state . at 08:40:10, 2 packets are blocked: # tcpdump -eni pflog0 host 192.134.0.49 08:40:10.848258 rule 0/0(match): block in on em1: IP 192.134.0.49.53 > 129.199.96.11.55186: 47029 NXDomain*-[|domain] 08:40:10.848266 rule 0/0(match): block in on em1: IP 192.134.0.49 > 129.199.96.11: udp . but the flow is opened: # pfctl -ss | grep 192.134.0.49 self udp 192.134.0.49:53 <- 129.199.96.11:55186 MULTIPLE:MULTIPLE self udp 129.199.96.11:55186 -> 192.134.0.49:53 MULTIPLE:MULTIPLE . and here is tcpdump before the firewall: # tcpdump -i em1 host 192.134.0.49 08:39:50.901802 IP 129.199.96.11.55186 > 192.134.0.49.53: 33752 [1au] A? bancoedwards.cl. (44) 08:39:50.903939 IP 192.134.0.49.53 > 129.199.96.11.55186: 33752- 0/2/3 (125) 08:39:52.150305 IP 129.199.96.11.55186 > 192.134.0.49.53: 53112 [1au] PTR? 8.101.224.88.in-addr.arpa. (54) 08:39:52.153941 IP 192.134.0.49.53 > 129.199.96.11.55186: 53112 NXDomain*- 0/6/6 (1472) 08:39:52.153945 IP 192.134.0.49 > 129.199.96.11: udp 08:39:56.164523 IP 129.199.96.11.55186 > 192.134.0.49.53: 43684 [1au] PTR? 176.195.118.88.in-addr.arpa. (56) 08:39:56.178153 IP 192.134.0.49.53 > 129.199.96.11.55186: 43684 NXDomain*- 0/6/6 (1472) 08:39:56.178158 IP 192.134.0.49 > 129.199.96.11: udp ------- so before 08:40:00, there is traffic. See 'pfctl -ss' upper. And now the blocked packet: ------- the DNS query (em0 to em1): 08:40:10.844354 IP 129.199.96.11.55186 > 192.134.0.49.53: 47029 [1au] PTR? 187.239.91.81.in-addr.arpa. (55) the answer (em1 to em0): 08:40:10.848241 IP 192.134.0.49.53 > 129.199.96.11.55186: 47029 NXDomain*- 0/6/6 (1472) 08:40:10.848246 IP 192.134.0.49 > 129.199.96.11: udp . here more details on blocked packets (tcpdump -n -v -i em1 host 192.134.0.49): 09:41:06.492426 IP (tos 0x0, ttl 58, id 34397, offset 0, flags [+], length: 1500) 192.134.0.49.53 > 129.199.96.11.57617: 5828 NXDomain*- 0/6/6 (1472) 09:41:06.492551 IP (tos 0x0, ttl 58, id 34397, offset 1480, flags [none], length: 458) 192.134.0.49 > 129.199.96.11: udp . adding the rule: pass in quick on em1 inet from any to 129.199.96.11 solves the problem. So, where is the problem? Is there a better fix than my rule? -- Jacques Beigbeder | [EMAIL PROTECTED] Service de Prestations Informatiques | http://www.spi.ens.fr Ecole normale supérieure | 45 rue d'Ulm |Tel : (+33 1)1 44 32 37 96 F75230 Paris cedex 05 |Fax : (+33 1)1 44 32 20 75