On 06/17/2014 11:32 PM, J. Lewis Muir wrote:
On 6/17/14, 4:02 PM, g.lister wrote:The next rule there is +++ pass out final all +++ I think it should be evaluated as it is after the blocking of TCP transactions so UDP should be going out, but following your comment I played around with allowing everything and/or adding a rule for UDP and I could get some date from a look up only when I let everything in and out. I think I am forgetting something about DNS and how query responses are delivered...Hi, George. Is the "pass out final all" rule stateful by default? If not, then your UDP query may be going out, but NPF would be blocking the response since I don't see a rule to pass it in.
Hi Lewis,Nope I do not have that in the rule. I added it and changed things a bit and now it works, thanks!!!
Here is the final conf: group (name "internal_net", interface wm0) { block in all pass stateful in final proto tcp to 192.168.1.18 port 40200 pass stateful in final proto udp to 192.168.1.18 port 13568 pass stateful out final all }
A client DNS query usually uses a UDP connection to a DNS server on port 53, but it can sometimes use a TCP connection on port 53. It will send a query to the server and expect a response. It looks like your NPF rules might be blocking that response.
I was checking this again today and UDP is used for queries and responses but TCP for zone transfers. I think my original rule set was too restrictive and incomplete, as you kindly pointed out, and I was not getting the response back so timeout.
Best, George