Need a little PF help here, please...

Justin Franks jfranks at inetassociation.com
Sun Oct 8 16:30:25 PDT 2006 

Have been using PF for over two years and recently ran into "problem"
which I am sure is something I am overlooking. So I need some direction.
Here it is: I recently enabled BIND9 on FreeBSD 6.1. I have PF running
too (PF config below). If I ping yahoo.com nothing happens. However, if
I comment out the PF rule "block in all" then suddenly I can ping
yahoo.com. Why will my server not resolve names (like yahoo.com) if the
"block in all" statement exists? Why does that statement mess it up?
What am I missing? Please help because I am totally frustrated.

 

 

Here is my pf.conf file.

 

table <misc> persist file "/etc/pf-files/misc"

table <spam> persist file "/etc/pf-files/spam"

table <ssh> persist file "/etc/pf-files/ssh"

table <gov> persist file "/etc/pf-files/gov"

table <dod> persist file "/etc/pf-files/dod"

table <fbi> persist file "/etc/pf-files/fbi"

table <cia> persist file "/etc/pf-files/cia"

table <china> persist file "/etc/pf-files/china"

table <hongkong> persist file "/etc/pf-files/hongkong"

table <taiwan> persist file "/etc/pf-files/taiwan"

table <vietnam> persist file "/etc/pf-files/vietnam"

table <argentina> persist file "/etc/pf-files/argentina"

scrub in all

block in all

antispoof for rl0 inet

pass in quick on rl0 proto tcp from any to rl0 port www

pass in quick on rl0 proto udp from any to rl0 port www

block in quick on rl0 proto tcp from <misc> to rl0 port 25

block in quick on rl0 proto tcp from <spam> to rl0 port 25

block in quick on rl0 from <gov> to any

block in quick on rl0 from <dod> to any

block in quick on rl0 from <fbi> to any

block in quick on rl0 from <cia> to any

block in quick on rl0 proto tcp from <china> to rl0 port 25

block in quick on rl0 proto tcp from <hongkong> to rl0 port 25

block in quick on rl0 proto tcp from <taiwan> to rl0 port 25

block in quick on rl0 proto tcp from <vietnam> to rl0 port 25

block in quick on rl0 proto tcp from <argentina> to rl0 port 25

pass in on rl0 proto tcp from any to rl0 port 25

pass in on rl0 proto tcp from any to rl0 port 110

pass in on rl0 proto tcp from <ssh> to rl0 port 22

pass in on rl0 inet proto icmp all icmp-type echoreq

pass out keep state

 

 

 

 

-------------------

Justin

More information about the freebsd-pf mailing list