Re: PF rules2

Fri, 04 May 2007 04:54:10 -0700 

Thanks for the answear,

Is it secure to open DNS ports to outside world? Or you mean to open open
outgoing DNS conections? If i want to redirect incomming ssh connections
from internet  to some inside server, should  i open DNS incoming?

Thanks!!

2007/5/4, Fred Crowson <[EMAIL PROTECTED]>:
>
> Tang Tse wrote:
> > Thanks all of you.
> >
> > I have an internal DNS server ( a vmware machine on my desktop computer
> > ) so name resolution shoudn't be a problem, isn't it?
> >
> > When you say allow dns lookups, you mean to open dns port?
> >
> > Thanks!!
> > Tang
> >
> >
> >
> > 2007/5/4, Fred Crowson <[EMAIL PROTECTED] <mailto:
> [EMAIL PROTECTED]>>:
> >
> >     Tang Tse wrote:
> >      > Hi again,
> >      >
> >      > I follow with my own fight with PF. ( sorry to send other mail,
> >     but i can't
> >      > really fix this ).
> >      >
> >      > If I reduce pf.conf to the following rules:
> >      > block in all
> >
> >     This rule causes pf to block in on all your interfaces, as you are
> >     blocking DNS, ssh takes longer to work out where your connecting
> from,
> >     either add an entry for your lan machine to /etc/hosts and/or allow
> DNS
> >     lookups.
> >
> >      > pass in on $int_if proto {tcp,udp] from any to any port 22 keep
> state
> >      >
> >      > I can connect to ssh, but it takes at least on minute to ask me
> >     the user and
> >      > pass.
> >      >
> >      > If i change it to block in on $ext_if all, then i can connect
> >     with the
> >      > normal speed.
> >      >
> >
> >     Here you are only blocking on the external interface so ssh is not
> >     having to wait for the blocked DNS timeout.
> >
> >      > The rules order is correct ( i think ), pf goes from less
> >     specific rule to
> >      > more especific rule.. If i told pf if there is no match block in
> >     all, if
> >      > connection is to port 22 pass it. I can't understand why this
> >     doesn't work..
> >      >
> >      > please, can you point to what is wrong?
> >      >
> >      > Thanks!
> >      > Tang Tse
> >      >
> >     HTH
> >
> >     Fred
> >     --
> >     http://www.crowsons.net/puters/x41.php
> >
> >
>
> block will block all DNS queries (port 53) unless their is a rule
> allowing them to pass...
>
> --
> http://www.crowsons.net/puters/x41.php

Reply via email to