From owner-freebsd-pf@FreeBSD.ORG  Thu May 26 21:42:10 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: pf@freebsd.org
Delivered-To: freebsd-pf@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 711A116A41C
	for <pf@freebsd.org>; Thu, 26 May 2005 21:42:10 +0000 (GMT)
	(envelope-from eculp@encontacto.net)
Received: from 72-12-2-214.wan.networktel.net (72-12-2-214.wan.networktel.net
	[72.12.2.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id F228C43D4C
	for <pf@freebsd.org>; Thu, 26 May 2005 21:42:09 +0000 (GMT)
	(envelope-from eculp@encontacto.net)
Received: from dsl-201-144-92-62.prod-infinitum.com.mx ([201.144.92.62])
	by 72-12-2-214.wan.networktel.net with esmtp;
	Thu, 26 May 2005 16:42:07 -0500 id 00095A99.429642B0.000143AE
Received: from localhost (localhost [127.0.0.1]) (uid 80)
	by dsl-201-144-92-62.prod-infinitum.com.mx with local;
	Thu, 26 May 2005 16:42:06 -0500
Received: from localhost.encontacto.net (localhost.encontacto.net
	[127.0.0.1]) by mail.encontacto.net (Horde MIME library) with HTTP for
	<eculp@encontacto.net>; Thu, 26 May 2005 16:42:06 -0500
Message-ID: <20050526164206.8s06d5veg44gkocg@mail.encontacto.net>
Date: Thu, 26 May 2005 16:42:06 -0500
From: "Edwin L. Culp" <eculp@encontacto.net>
To: pf@freebsd.org
References: <20050526161315.4997ejvpxwswowsc@mail.encontacto.net>
	<8eea040805052614177ca5e3d9@mail.gmail.com>
In-Reply-To: <8eea040805052614177ca5e3d9@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset=ISO-8859-1;
	format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) 4.1-cvs
Cc: 
Subject: Re: problem with dns on all and squid on some.
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 May 2005 21:42:10 -0000

Quoting Jon Simola <jsimola@gmail.com>:

> On 5/26/05, Edwin L. Culp <eculp@encontacto.net> wrote:
>
>> this configuration there is no dns resolution.  The first problem.
>
>> tcp_services = "{ 22, 25, 53, 80, 110, 113, 123, 143, 389 }"
>
>> block all
>> pass in on $ext_if inet proto tcp from any to ($ext_if) port
>> $tcp_services flags S/SA keep state
>
> DNS is UDP port 53, which you've blocked.

Thanks, Jon, I thought it would work with either but I added a udp line 
before the tcp line.

pass in on $ext_if inet proto udp from any to ($ext_if) port 53 keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port 
$tcp_services flags S/SA keep state

and it works.  Hmmmm......, I wonder if there is something else that I 
need to add to udp?

Thanks,

ed