Hello,
I am very new to OpenBSD, but have been using FreeBSD with ipfilter
for years now.I think I have discovered somewhat of an anomaly. After
careful review of my rules and subsequent testing, I cannot seem to
allow port 53 to pass to my tinydns server (hosted on FreeBSD) on the
inside of my network. What makes this interesting, is that every other
port defined by the "services" macro, is open.
I am able to access the internet from my network, so dnscache is doing its
job properly.
I am really scratching my head over this one, any help is appreciated,
and thanks in advance!
I'm using OpenBSD 4.2. Here is my pf.rules file:
# Network interfaces
internal = "rl1"
external = "rl0"
# Services
server = "*IP Removed for Privacy*"
services = "{ 22, 80, 443, 25, 143, 53 }"
# Non-routable IP numbers
nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12,
10.0.0.0/8,
0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23,
224.0.0.0/3,
255.255.255.255/32 }"
# Fix fragmented packets
scrub in all
# Create two packet queues: one for regular traffic, another for
# high priority: TCP ACKs and packets with ToS 'lowdelay'
altq on $external priq bandwidth 125Kb queue { highpri_q, default_q }
queue highpri_q priority 7
queue default_q priority 1 priq(default)
# NAT
# nat: packets going out through dc0 with source addr 192.168.1.0/24
# will get translated as coming from our external address. State is
# created for such packets, and incoming packets will be redirected to
# the internal address.
rdr on $external inet proto tcp to port $services -> $server
rdr on $external inet proto udp to port 53 -> $server
# NAT: rule for the inside network
nat on $external from 192.168.1.0/24 to any -> $external
########################################################################
# Don't bug loopback
pass out quick on lo0 from any to any
pass in quick on lo0 from any to any
# Don't bother the inside interface either
pass out quick on $internal from any to any
pass in quick on $internal from any to any
#####################################################################
# Block any inherently bad packets coming in from the outside world.
# These include ICMP redirect packets and IP fragments so short the
# filtering rules won't be able to examine the whole UDP/TCP header.
block in log quick on $external inet proto icmp from any to any icmp-
type redir
# Block any IP spoofing atempts.
block in quick on $external from $nonroutable to any
# Don't allow non-routable packets
block out quick on $external from any to $nonroutable
#####################################################################
# The normal filtering rules
# ICMP: allow incoming ping and traceroute only
pass in quick on $external inet proto icmp from any to any icmp-type
{ \
echorep, echoreq, timex, unreach }
block in log quick on $external inet proto icmp from any to any
# TCP: Allow services incoming. Only match
# SYN packets, and allow the state table to handle the rest of the
# connection. ACKs and ToS "lowdelay" are given priority.
pass in quick on $external inet proto tcp from any to $server port
$services \
flags S/SA keep state queue (default_q, highpri_q)
# UDP: allow DNS since I run a public nameserver (remove if you
don't!)
pass in quick on $external inet proto udp from any to $server port 53
keep state
# Everyone is allowed to send UDP and ICMP out
pass out quick on $external inet proto udp all keep state
pass out quick on $external inet proto icmp from any to any keep state
#####################################################################
# Allow packets coming in as replies to connections so we keep state
pass out quick on $external inet proto tcp from any to any \
flags S/SA keep state queue (default_q, highpri_q)
pass out quick on $external inet proto udp from any to any keep state
pass out quick on $external inet proto icmp from any to any keep state
#####################################################################
# End of rules. Block everything to all ports, all protocols and
return
# RST (TCP) or ICMP/port-unreachable (UDP).
block return-rst in log quick on $external inet proto tcp from any to
any
block return-icmp in log quick on $external inet proto udp from any to
any
block in quick on $external all
