Re: PF will not allow incoming DNS

Fri, 15 Feb 2008 17:16:21 -0800 

On Feb 15, 2008, at 7:38 PM, pezking wrote:


Hello,

I am very new to OpenBSD, but have been using FreeBSD with ipfilter
for years now.I think I have discovered somewhat of an anomaly. After
careful review of my rules and subsequent testing, I cannot seem to
allow port 53 to pass to my tinydns server (hosted on FreeBSD) on the
inside of my network. What makes this interesting, is that every other
port defined by the "services" macro, is open.
I am able to access the internet from my network, so dnscache is doing its 
job properly.

I am really scratching my head over this one, any help is appreciated,
and thanks in advance!

I'm using OpenBSD 4.2. Here is my pf.rules file:

# Network interfaces
internal = "rl1"
external = "rl0"

# Services
server = "*IP Removed for Privacy*"
services = "{ 22, 80, 443, 25, 143, 53 }"

# Non-routable IP numbers
nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12,
10.0.0.0/8,
 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23,
224.0.0.0/3,
 255.255.255.255/32 }"

# Fix fragmented packets
scrub in all

# Create two packet queues: one for regular traffic, another for
# high priority: TCP ACKs and packets with ToS 'lowdelay'
altq on $external priq bandwidth 125Kb queue { highpri_q, default_q }
queue highpri_q priority 7
queue default_q priority 1 priq(default)

# NAT

# nat: packets going out through dc0 with source addr 192.168.1.0/24
# will get translated as coming from our external address. State is
# created for such packets, and incoming packets will be redirected to
# the internal address.
rdr on $external inet proto tcp to port $services -> $server
rdr on $external inet proto udp to port 53 -> $server
Since you're trying to obfuscate your $server address, I assume that $server is the external address. Translation happens before filtering, so the target of your rdr rules should be the internal address. 

Some other notes:
* Stop using quick everywhere. What's the point of using quick if ALL of your rules use it? * PF uses last-match. Design your ruleset to work within this philosophy, rather than trying to shoehorn your ipfilter rules into this syntax. 
* Read the PF User's Guide.

---
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Reply via email to