On Mon, Dec 26, 2005 at 11:07:58PM +0100, Pavel Cahyna wrote:
>On Mon, 26 Dec 2005 16:25:19 -0500, George Georgalis wrote:
>> 
>> when I enable the pf rules, dns passes right through...
>> 
>> have I missed something or is there any diagnostics I can provide?
>
>brconfig bridge0 ipf

I think that's being taken care of in /etc/ifconfig.bridge0

create
!brconfig $int ipf add fxp0 add fxp1 up

in any event I ran it manually.

>for diagnostic - pf does logging...

methinks a pflogd startup should be added to /etc/rc.d/ even if
not default.

(when I deinstalled /usr/pkgsrc/security/pflkm I also nuked user
_pflogd and /var/chroot/pflogd ...they defiantly need be in place
for pflogd to run)

watching pflog0 with "tcpdump -n -e -ttt -i pflog0" and the ruleset

if_dmz = fpx0
if_net = fpx1
if_br = bridge0
#pass out log on $if_dmz proto { tcp , udp } to any port 53
#pass out log on $if_net proto { tcp , udp } to any port 53
#pass out log on $if_br proto { tcp , udp } to any port 53
pass out log            proto { tcp , udp } to any port 53

it would seem packets are only logged if the interface is not
specified, only the uncommented rule above ever logs.

Should I file a PR?

// George


-- 
George Georgalis, systems architect, administrator <IXOYE><
http://galis.org/ cell:646-331-2027 mailto:george@galis.org