I'll guess that your outbound DNS traffic is still blocked, because you are only permitting inbound DNS, not outbound DNS.
Avoid the use of "in" "out" and "on" in your rule sets unless absolutely necessary.
I'm tired of guessing. You have been struggling with this particular configuration problem for weeks. So I'll restate what I've tried to state before, and try to be as clear as I can be.
- Traffic is being blocked.
- You have no idea why and post fragments of pf.conf configuration files here and hope we can guess why.
- OpenBSD has tools that can tell you EXACTLY what is happening with PF. They are as easy to use as posting to this forum, and more accurate than our guesses. You are not using them.
Here's a "How To" guide:
- Put the following line at the top of your /etc/pf.conf file. It adds logging to every pass and block rule in the file.
- Reload your rules with
# pfctl -f /etc/pf.conf
- Use the tcpdump(8) command to capture the PF logging you enabled. Start tcpdump() with this command. The use of a pipe "|" and tee(1) sends the output both to a file and to your shell in a console or window. The tcpdump() program will continue to run until you stop it with CTRL-C.
Code:
# tcpdump -neti pflog0 | tee /tmp/my.pf.log.output
- While tcpdump is running, test any of your failing connections.
- You may stop your tcpdump() program after capturing traffic with CTRL-C.
- In the output, you will see the traffic being filtered, whether the action was pass or block, and the rule number of the pass or block rule.
- To map the rule number to the specific rule in your /etc/pf.conf file, issue the command
# pfctl -sr -R <number>
If a
block rule is very broad, such as a first
block all, then your traffic does not match any subsequent rule.