|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
PF for crosing an rdomain with dnsmasq
I have a router running OpenBSD-current via snapshots. It has dnsmasq from ports set up and working within one rdomain. That mostly works as expected, but when it needs to make its own outbound queries, it stays limited to that same rdomain. I would like to figure out what to put in pf.conf so that dnsmasq may also reach out via the egress port, which lies on a different rdomain.
Code:
( PF ) if01---+-----rdomain010---=---rdomain022-----egress-----Internet | (dnsmasq) if02---+ | if03---+ | if04---+ What kind of match or pass rule would I write for pf.conf to add the ability for packets to move like that? The following is quite wrong and does not allow even local DNS queries in dnsmasq: Code:
pass in on rdomain 010 proto {udp,tcp} from 192.168.1.10 \ to any port 53 set prio (2, 5) rtable 0 |
|
|||
Thanks. It's running on the same system. Again, the interfaces, and dnsmasq, are in one rdomain and the egress is in another. So what I have currently when it tries to reach the egress is dropped packets when a client makes query that must go to external DNS:
Code:
# tcpdump -lnpqi vether1 'port 4567 or port 53' tcpdump: listening on vether1, link-type EN10MB 15:33:26.552266 192.168.1.12.57934 > 192.168.1.1.53: udp 28 15:33:26.553200 192.168.1.1.4567 > 203.0.113.209.53: udp 28 15:33:31.551477 192.168.1.12.57934 > 192.168.1.1.53: udp 28 15:33:36.559579 192.168.1.1.4567 > 203.0.113.209.53: udp 28 ^C 41 packets received by filter 0 packets dropped by kernel Code:
# tcpdump -lnpqi vr0 'port 4567 or port 53' tcpdump: listening on vr0, link-type EN10MB ^C 35 packets received by filter 0 packets dropped by kernel Code:
pass out on rdomain 010 proto {udp,tcp} from vether1 user { _dnsmasq } rtable 022 Last edited by tsombi digitale; 6th March 2020 at 02:09 PM. Reason: udp AND tcp |
|
|||
If that is true then maybe I am misunderstanding the position of the DNS cache daemon in all this. I'm not sure this works the way I think it does, but these two seem to be responsible for allowing clients on the LAN to reach the outside:
Code:
. . . match out on $ext inet from vether1:network to ! vether1:network nat-to ($ext) . . . pass in quick on rdomain 010 from <ten> to any set prio (2, 5) rtable 022 . . . |
Tags |
pf, rdomain |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Dnsmasq - logging of hostnames | bsdperson | General software and network | 0 | 12th January 2019 09:06 PM |
Network isolation of process using rdomain rtable | e1-531g | OpenBSD Security | 0 | 15th February 2016 04:53 PM |
local dns (dnsmasq) | bsdperson | FreeBSD Ports and Packages | 3 | 3rd September 2008 06:48 AM |