# pf not allowing DNS queries



## magikman (Dec 2, 2011)

I have a single host on the internet that I am trying to run a DNS server on. I have been unsuccessful in getting PF to allow the queries to happen. Below you will find my rules. Please assist!


```
ext_if="em0"
icmp_types="echoreq"
server="1.1.1.1"
mon_net="10.0.0.1/24"
scrub in on $ext_if all fragment reassemble

block log all

set skip on lo0

antispoof for $ext_if

block in from no-route to any

block in from urpf-failed to any

block in quick on $ext_if from any to 255.255.255.255

block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $server port { smtp, imap } flags S/SA 
pass log quick proto udp from any to $server port domain
pass in on $ext_if proto icmp from $mon_net icmp-type $icmp_types
```

Thanks!


----------



## _martin (Dec 2, 2011)

Why do you have all those block lines when you've specified:


```
block log all
```

early in the configuration? That line means to block (and log) all in and out connections.

My guess is that answers from DNS server are blocked (you can verify with tcpdump for example).

I would recommend to create different configuration file though. If you insist on blocking all in/out connections you can leave the block all rule and specify the pass rules afterward.


----------



## DutchDaemon (Dec 3, 2011)

Not much point in posting this topic twice. Other thread removed.


----------



## J65nko (Dec 4, 2011)

Besides UDP nameservers sometimes also use TCP. I removed all that *flags WEUAPRSF/WEUAPRSF* nonsense and simplified the pf.conf to its basics.

```
ext_if="em0"
#ext_if="re0"
icmp_types="echoreq"
server="1.1.1.1"
mon_net="10.0.0.1/24"

scrub in on $ext_if all fragment reassemble

set skip on lo0

# --- DEFAULT POLICY
block log all

antispoof for $ext_if

# --- EXTERNAL INTERFACE

# --- OUT
# this rule allows any traffic initiated from the server.
# if the server gets cracked, the cracker doesn't have to become root to modify the pf.conf
# he just can go ahead and use the server as non-root user for attacking/DOSsing other sites 
pass out quick on $ext_if inet proto { tcp, udp, icmp } from $ext_if to any modulate state

# --- IN
pass in  quick on $ext_if inet proto tcp from any to $ext_if  port ssh flags S/SA synproxy state
pass in  quick on $ext_if inet proto tcp from any to $ext_if  port { smtp, imap, [color=blue]domain[/color] } flags S/SA keep state 
pass in  quick on $ext_if inet proto udp from any to $ext_if  port domain keep state
pass in  quick on $ext_if inet proto icmp from $mon_net to $ext_if icmp-type $icmp_types keep state
```
By using *to $ext_if* there is no need to code the *$server* IP address.

For SSH access I would recommend to set up public key authentication. That is not difficult, but because many have problems with it, I wrote a guide how to do it. See Setting up public key password-less 'ssh' access


----------



## gkontos (Dec 4, 2011)

J65nko said:
			
		

> I removed all that *flags WEUAPRSF/WEUAPRSF* nonsense and simplified the pf.conf to it's basics.





			
				J65nko said:
			
		

> ```
> # --- OUT
> # this rule allows any traffic initiated from the server.
> # if the server gets cracked, the cracker doesn't have to become root to modify the pf.conf
> ...



*LOL*

:beergrin :beergrin :beergrin


----------



## magikman (Dec 5, 2011)

J65nko said:
			
		

> Besides UDP nameservers sometimes also use TCP. I removed all that *flags WEUAPRSF/WEUAPRSF* nonsense and simplified the pf.conf to its basics.
> 
> ```
> ext_if="em0"
> ...



Passing all traffic out was a temporary thing just to get the server up. The reason that I am using the $server variable rather than the $ext_if variable is that I have an alias on that interface that I don't want to be exposed. To prevent someone from altering the firewall rules I have set the security level to 3 now that I have the rules situated. 

Thanks for your help!


----------

