Kevin Chadwick <m8il1i...@gmail.com> writes: >> Something like >> >> pass out ... proto udp from any to any port 53 user = _rebound >> >> same for tcp. > > Yeah but have you tried it and been successful without getting a syntax > error?
This doesn't give a syntax error and seems to do what you're looking for. s/_rebound/_unbound/ ; this is on -current but I doubt that the syntax changed recently. block out proto tcp from any to any port 53 block out proto udp from any to any port 53 pass out proto tcp from any to any port 53 user = _unbound pass out proto udp from any to any port 53 user = _unbound ritchie ~$ dig +short +tcp +dnssec openbsd.org mx @127.0.0.1 6 shear.ucar.edu. ritchie ~$ dig +short +tcp +dnssec openbsd.org mx @8.8.8.8 ;; Connection to 8.8.8.8#53(8.8.8.8) for openbsd.org failed: host unreachable. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
