I am attempting to allow out precisely what is being used and nothing more. That said, I am looking at outbound DNS being logged and dropped:
snippet of tcpdump, replaced my IP address with <ME>
macros / rules
I tried added modulate state to the rule, to no avail, according to the docs for openbsd pf, the default is flags S/SA and keep state.
This isn't preventing DNS from working; however, I'd ideally like my logs to be 'clean' such that anything in them indicates a problem. I'm hoping to filter out this noise if at all possible.
In an attempt to Google and perhaps solve the problem myself, I came across:
I have already set my limits high so that my tables can accommodate my country blocks, so my limit is: 1000000. I have coredns set to only talk to DNS servers using TCP:853.
snippet of tcpdump, replaced my IP address with <ME>
Code:
07:14:43.789675 IP <ME>.53326 > 9.9.9.9.853: Flags [FP.], seq 0:24, ack 1, win 1027, options [nop,nop,TS val 735542765 ecr 315021820], length 24
07:14:47.509667 IP <ME>.53326 > 9.9.9.9.853: Flags [.], ack 1, win 1026, options [nop,nop,TS val 735546485 ecr 315021820], length 0
07:15:02.509656 IP <ME>.53326 > 9.9.9.9.853: Flags [.], ack 1, win 1026, options [nop,nop,TS val 735561485 ecr 315021820], length 0
07:15:04.469655 IP <ME>.53326 > 9.9.9.9.853: Flags [RP.], seq 1:24, ack 1, win 0, options [nop,nop,TS val 735563445 ecr 315021820], length 23
macros / rules
Code:
NETWORK_DNS_PROTOCOL="tcp"
NETWORK_DNS_PORTS="853"
NETWORK_DNS_SERVERS="9.9.9.9 208.67.222.123 208.67.220.123 208.67.222.222 208.67.220.220 1.1.1.1 8.8.8.8 8.8.4.4"
pass out quick on wan proto {$NETWORK_DNS_PROTOCOL} to {$NETWORK_DNS_SERVERS} port {$NETWORK_DNS_PORTS} modulate state queue top
I tried added modulate state to the rule, to no avail, according to the docs for openbsd pf, the default is flags S/SA and keep state.
This isn't preventing DNS from working; however, I'd ideally like my logs to be 'clean' such that anything in them indicates a problem. I'm hoping to filter out this noise if at all possible.
In an attempt to Google and perhaps solve the problem myself, I came across:
Hitting the PF state table limit
I recently had an issue with an OpenBSD firewall where the number of state table entries was hitting the default limit of 10,000. When this limit is reached, no new state entries can be created. If you're using "keep state", "modulate state" or "synproxy state" on your rules or if you're running...
www.packetmischief.ca
I have already set my limits high so that my tables can accommodate my country blocks, so my limit is: 1000000. I have coredns set to only talk to DNS servers using TCP:853.