On Tue, Jan 03, 2006 at 07:37:16PM +0100, Pavel Cahyna wrote:
>On Mon, Dec 26, 2005 at 07:05:29PM -0500, George Georgalis wrote:
>> On Mon, Dec 26, 2005 at 06:51:41PM -0500, George Georgalis wrote:
>> >
>> >if_dmz = fpx0
>> >if_net = fpx1
>> >if_br = bridge0
>> >#pass out log on $if_dmz proto { tcp , udp } to any port 53
>> >#pass out log on $if_net proto { tcp , udp } to any port 53
>> >#pass out log on $if_br proto { tcp , udp } to any port 53
>> >pass out log            proto { tcp , udp } to any port 53
>> >
>> >it would seem packets are only logged if the interface is not
>> >specified, only the uncommented rule above ever logs.
>> 
>> DOH! I miss macro-ed my interface!
>> 
>> if_dmz = "fxp0"
>> if_net = "fxp1"
>> if_br = "bridge0"
>> pass out log on fxp1 proto tcp from any to any port = domain
>> pass out log on fxp1 proto udp from any to any port = domain
>> 
>> out on fxp1 logs fine presumably out on bridge0 shouldn't log.
>
>So, does your pf on bridge setup work now correctly?

Sorry wasn't more clear. pf on the bridge appears to work as expected.
This is only my second pf install so I can't say I tested it throughly.
I did run some more rules just now and learned something... a bit more
obvious than it should have been for me...

if_dmz = fxp0
if_net = fxp1
block drop in  log proto {tcp,udp} to any port {67,68}
block drop out log proto {tcp,udp} to any port {67,68}
#block drop in  log on $if_net proto {tcp,udp} to any port 53
block drop in  log on $if_dmz proto {tcp,udp} to any port 53
block drop out log on $if_net proto {tcp,udp} to any port 53 

dns requests from the dmz to the internet are not blocked by
the commented line because the "incoming replies" are not on
that port. That lone rule, however, is effective to block dns
queries from the internet to a dns server on the dmz. Either of
the remaining two dns rules will block dns queries from the dmz.

I'm happy to try any other rule tests if you'd provide them.

BTW - Pavel, your mail client sets Mail-Followup-To on your list
posts, but doesn't accept my direct mail. Apparently because my
mx doesn't accept port 25 from subnets delegated to cz, but your
relay checks for a working reply smtp as a condition of accepting
a message. ...I'm planning a change on my filtering and will
probably allow all subnets to connect in the future, but for now
there is no access for some countries.

Regards,
// George


-- 
George Georgalis, systems architect, administrator <IXOYE><
http://galis.org/ cell:646-331-2027 mailto:george@galis.org