Re: NPF: newbie experiencing some strange behavior

["J. Lewis Muir" <jlmuir%imca-cat.org@localhost>]

On 6/17/14, 2:17 PM, g.lister wrote:
> I think the 'pass final on lo0 all' should be quick-evaluated (no
> further rule processing should be done) and connectivity to the local
> named server should not be an issue... the snippet is straight from
> the examples.
>
> I tried playing around with different settings in the config removing
> stuff and adding stuff to see which might be the offending definition
> as my intentions and setup are quite detailed so I simplified to what
> I think are bare bones and as soon as I turn NPF on things don't work
> network wise.
>
> Any hints or ideas are welcome!
> Thanks in advance.
> Kind regards,
> george

Hi, George.

I'm not an NPF expert, in fact, I haven't even used NPF--yet, but are
you aware that your DNS request is likely UDP?  And even though you're
connecting to a local DNS server, unless it has a cache of the answer to
your DNS query, it will need to in turn make a query to a DNS server on
the Internet to answer your query.

I see in your rules the following line:

===
pass stateful in final proto tcp to 192.168.1.18 port 40200 apply "log"
===

So, is that a rule just for TCP?  If so, what rule do you have for UDP?
Or is all your UDP traffic getting dropped, and hence your DNS look-up
fails?

Lewis