Whats wrong with this ruleset?
Gerard Samuel
fbsd-pf at trini0.org
Wed Mar 2 05:31:18 GMT 2005
Gerard Samuel wrote:
> Max Laier wrote:
>
>> On Wednesday 02 March 2005 00:14, Gerard Samuel wrote:
>>
>>
>>> For some reason, port 53 is blocked going out of the external
>>> interface ->
>>> 000000 rule 0/0(match): block out on ed0: IP xx.xxx.xxx.xx.53 >
>>> xx.xx.xx.xxx.4973
>>>
>>> Im still new to pf, but shouldn't the last two lines allow anything
>>> going out
>>> to pass??
>>> Any ideas on how to fix?
>>>
>>
>>
>> Can you send the output of "$pfctl -vsr" after some packets have been
>> blocked? The match counters are extremely helpful when debugging
>> such problems.
>>
>
> Just before this email came in, I changed the last 2 rules to ->
> #pass out on $ext_if proto tcp all modulate state flags S/SA
> #pass out on $ext_if proto {udp, icmp} all keep state
> pass out on $ext_if proto {tcp, udp, icmp} all keep state
I went back to my original ruleset, and started reviewing
the real time blocks again.
I noticed that blocked packets were tcp.
I fiddled with the rule ->
pass out on $ext_if proto tcp all modulate state flags S/SA
till I came to ->
pass out on $ext_if proto tcp all modulate state
and it started working as it should be.
Whether its the correct way to write the rule, I'm not sure.
I'll read up on flag options and see if I can come up with
an answer for that...
More information about the freebsd-pf
mailing list