Re: NPF: newbie experiencing some strange behavior

["g.lister" <g.lister%nodeunit.com@localhost>]

On 06/17/2014 10:02 PM, J. Lewis Muir wrote:
> On 6/17/14, 2:17 PM, g.lister wrote:
> > I think the 'pass final on lo0 all' should be quick-evaluated (no
> > further rule processing should be done) and connectivity to the local
> > named server should not be an issue... the snippet is straight from
> > the examples.
> >
> > I tried playing around with different settings in the config removing
> > stuff and adding stuff to see which might be the offending definition
> > as my intentions and setup are quite detailed so I simplified to what
> > I think are bare bones and as soon as I turn NPF on things don't work
> > network wise.
> >
> > Any hints or ideas are welcome!
> > Thanks in advance.
> > Kind regards,
> > george
>
> Hi, George.
>
> I'm not an NPF expert, in fact, I haven't even used NPF--yet, but are
> you aware that your DNS request is likely UDP?  And even though you're
> connecting to a local DNS server, unless it has a cache of the answer to
> your DNS query, it will need to in turn make a query to a DNS server on
> the Internet to answer your query.

That is a very good point :)

> I see in your rules the following line:
>
> ===
> pass stateful in final proto tcp to 192.168.1.18 port 40200 apply "log"
> ===

The next rule there is

+++
pass out final all
+++

I think it should be evaluated as it is after the blocking of TCP 
transactions so UDP should be going out, but following your comment I 
played around with allowing everything and/or adding a rule for UDP and 
I could get some date from a look up only when I let everything in and 
out. I think I am forgetting something about DNS and how query responses 
are delivered...

Thanks Lewis for getting me going on that path.
Cheers!
George

> So, is that a rule just for TCP?  If so, what rule do you have for UDP?
> Or is all your UDP traffic getting dropped, and hence your DNS look-up
> fails?
>
> Lewis