pf not allowing DNS queries

magikman · Dec 2, 2011

I have a single host on the internet that I am trying to run a DNS server on. I have been unsuccessful in getting PF to allow the queries to happen. Below you will find my rules. Please assist!

Code:

ext_if="em0"
icmp_types="echoreq"
server="1.1.1.1"
mon_net="10.0.0.1/24"
scrub in on $ext_if all fragment reassemble

block log all

set skip on lo0

antispoof for $ext_if

block in from no-route to any

block in from urpf-failed to any

block in quick on $ext_if from any to 255.255.255.255

block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $server port { smtp, imap } flags S/SA 
pass log quick proto udp from any to $server port domain
pass in on $ext_if proto icmp from $mon_net icmp-type $icmp_types

Thanks!

_martin · Dec 2, 2011

Why do you have all those block lines when you've specified:

Code:

block log all

early in the configuration? That line means to block (and log) all in and out connections.

My guess is that answers from DNS server are blocked (you can verify with tcpdump for example).

I would recommend to create different configuration file though. If you insist on blocking all in/out connections you can leave the block all rule and specify the pass rules afterward.

DutchDaemon · Dec 3, 2011

Not much point in posting this topic twice. Other thread removed.

J65nko · Dec 4, 2011

Besides UDP nameservers sometimes also use TCP. I removed all that flags WEUAPRSF/WEUAPRSF nonsense and simplified the pf.conf to its basics.

Code:

ext_if="em0"
#ext_if="re0"
icmp_types="echoreq"
server="1.1.1.1"
mon_net="10.0.0.1/24"

scrub in on $ext_if all fragment reassemble

set skip on lo0

# --- DEFAULT POLICY
block log all

antispoof for $ext_if

# --- EXTERNAL INTERFACE

# --- OUT
# this rule allows any traffic initiated from the server.
# if the server gets cracked, the cracker doesn't have to become root to modify the pf.conf
# he just can go ahead and use the server as non-root user for attacking/DOSsing other sites 
pass out quick on $ext_if inet proto { tcp, udp, icmp } from $ext_if to any modulate state

# --- IN
pass in  quick on $ext_if inet proto tcp from any to $ext_if  port ssh flags S/SA synproxy state
pass in  quick on $ext_if inet proto tcp from any to $ext_if  port { smtp, imap, [color=blue]domain[/color] } flags S/SA keep state 
pass in  quick on $ext_if inet proto udp from any to $ext_if  port domain keep state
pass in  quick on $ext_if inet proto icmp from $mon_net to $ext_if icmp-type $icmp_types keep state

By using to $ext_if there is no need to code the $server IP address.

For SSH access I would recommend to set up public key authentication. That is not difficult, but because many have problems with it, I wrote a guide how to do it. See Setting up public key password-less 'ssh' access

gkontos · Dec 4, 2011

J65nko said:
I removed all that flags WEUAPRSF/WEUAPRSF nonsense and simplified the pf.conf to it's basics.

J65nko said:

Code:

# --- OUT
# this rule allows any traffic initiated from the server.
# if the server gets cracked, the cracker doesn't have to become root to modify the pf.conf
# he just can go ahead and use the server as non-root user for attacking/DOSsing other sites 
pass out quick on $ext_if inet proto { tcp, udp, icmp } from $ext_if to any modulate state

LOL

:beergrin :beergrin :beergrin

magikman · Dec 5, 2011

J65nko said:
Besides UDP nameservers sometimes also use TCP. I removed all that flags WEUAPRSF/WEUAPRSF nonsense and simplified the pf.conf to its basics.

Code:

ext_if="em0" #ext_if="re0" icmp_types="echoreq" server="1.1.1.1" mon_net="10.0.0.1/24" scrub in on $ext_if all fragment reassemble set skip on lo0 # --- DEFAULT POLICY block log all antispoof for $ext_if # --- EXTERNAL INTERFACE # --- OUT # this rule allows any traffic initiated from the server. # if the server gets cracked, the cracker doesn't have to become root to modify the pf.conf # he just can go ahead and use the server as non-root user for attacking/DOSsing other sites pass out quick on $ext_if inet proto { tcp, udp, icmp } from $ext_if to any modulate state # --- IN pass in quick on $ext_if inet proto tcp from any to $ext_if port ssh flags S/SA synproxy state pass in quick on $ext_if inet proto tcp from any to $ext_if port { smtp, imap, [color=blue]domain[/color] } flags S/SA keep state pass in quick on $ext_if inet proto udp from any to $ext_if port domain keep state pass in quick on $ext_if inet proto icmp from $mon_net to $ext_if icmp-type $icmp_types keep state

By using to $ext_if there is no need to code the $server IP address.

For SSH access I would recommend to set up public key authentication. That is not difficult, but because many have problems with it, I wrote a guide how to do it. See Setting up public key password-less 'ssh' access

Passing all traffic out was a temporary thing just to get the server up. The reason that I am using the $server variable rather than the $ext_if variable is that I have an alias on that interface that I don't want to be exposed. To prevent someone from altering the firewall rules I have set the security level to 3 now that I have the rules situated.

Thanks for your help!

pf not allowing DNS queries

magikman

_martin

DutchDaemon

Administrator

J65nko

gkontos

magikman