Tang Tse wrote:
Thanks all of you.
I have an internal DNS server ( a vmware machine on my desktop computer
) so name resolution shoudn't be a problem, isn't it?
When you say allow dns lookups, you mean to open dns port?
Thanks!!
Tang
2007/5/4, Fred Crowson <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>:
Tang Tse wrote:
> Hi again,
>
> I follow with my own fight with PF. ( sorry to send other mail,
but i can't
> really fix this ).
>
> If I reduce pf.conf to the following rules:
> block in all
This rule causes pf to block in on all your interfaces, as you are
blocking DNS, ssh takes longer to work out where your connecting from,
either add an entry for your lan machine to /etc/hosts and/or allow DNS
lookups.
> pass in on $int_if proto {tcp,udp] from any to any port 22 keep state
>
> I can connect to ssh, but it takes at least on minute to ask me
the user and
> pass.
>
> If i change it to block in on $ext_if all, then i can connect
with the
> normal speed.
>
Here you are only blocking on the external interface so ssh is not
having to wait for the blocked DNS timeout.
> The rules order is correct ( i think ), pf goes from less
specific rule to
> more especific rule.. If i told pf if there is no match block in
all, if
> connection is to port 22 pass it. I can't understand why this
doesn't work..
>
> please, can you point to what is wrong?
>
> Thanks!
> Tang Tse
>
HTH
Fred
--
http://www.crowsons.net/puters/x41.php
block will block all DNS queries (port 53) unless their is a rule
allowing them to pass...
--
http://www.crowsons.net/puters/x41.php
