From owner-freebsd-pf@FreeBSD.ORG  Mon Oct  9 06:47:09 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 05A3516A415
	for <freebsd-pf@freebsd.org>; Mon,  9 Oct 2006 06:47:09 +0000 (UTC)
	(envelope-from Greg.Hennessy@nviz.net)
Received: from lon-mail-3.gradwell.net (lon-mail-3.gradwell.net
	[193.111.201.127])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4D53D43D49
	for <freebsd-pf@freebsd.org>; Mon,  9 Oct 2006 06:47:08 +0000 (GMT)
	(envelope-from Greg.Hennessy@nviz.net)
Received: from 84-12-192-91.dyn.gotadsl.co.uk ([84.12.192.91] helo=vaio
	country=GB ident=gregh&pop3*nviz*net)
	by lon-mail-3.gradwell.net with esmtpa (Gradwell gwh-smtpd 1.232) id
	4529f06a.ec83.2
	for freebsd-pf@freebsd.org; Mon,  9 Oct 2006 07:47:06 +0100
	(envelope-sender <Greg.Hennessy@nviz.net>)
From: "Greg Hennessy" <Greg.Hennessy@nviz.net>
To: <freebsd-pf@freebsd.org>
Date: Mon, 9 Oct 2006 07:46:52 +0100
Message-ID: <000301c6eb6e$b49aeda0$0201a8c0@vaio>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
In-Reply-To: <000001c6eb31$bab05140$6401a8c0@iea4grrtmmd560>
Thread-Index: AcbrNgh/RhaX3N15SoSJtZevjBSO5AANsayw
Subject: RE: Need a little PF help here, please...
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2006 06:47:09 -0000

 
> However, if
> I comment out the PF rule "block in all" then suddenly I can ping
> yahoo.com. Why will my server not resolve names (like 
> yahoo.com) if the
> "block in all" statement exists? Why does that statement mess it up?
> What am I missing? Please help because I am totally frustrated.
> 
>  
> 
> block in all

The default block rule should always have logging enabled, no exceptions. 

It should be 

	block log all

The pf logs would have told you straight away what was being dropped and
why. 


On a side note, 

The default block rule should match both ingress and egress traffic. 
A system cannot be deemed secure it if implictly allows egress traffic to
flow.



Greg