# Firewall BIND



## IuckDuth (Nov 17, 2012)

Hello, I have problem with firewall. When the firewall is stopped I have connection with port 53 from external ip. When firewall is with status: start; I can't connect to port 53 except localhost.

I using this line to 'open' the port;


```
pass in on $ext_if proto tcp to ($ext_if) port 53
```
Thank you


----------



## graudeejs (Nov 17, 2012)

You need *proto udp*
Actually DNS can use both (tcp and udp) but I haven't seen tcp ever (But, you know, I'm not sys admin either)

Also you need to pass packets out. I don't remember how to do this correctly with pf, either add keep state or make another rule, to pass dns out.
I think keep state should work though.


----------



## throAU (Nov 19, 2012)

I suspect DNS uses TCP sometimes for things like zone transfers - but either way the spec is that DNS uses both UDP and TCP so you need to allow both, as above.


----------



## DutchDaemon (Nov 19, 2012)

DNS also uses TCP for replies bigger than 512 bytes (which is the UDP maximum payload for this service). You must allow tcp/53 for DNS in/out to work. Unwanted zone transfers must be disallowed in named.conf.


----------

