I am trying to create rule to allow DNS queries (port 53) to only 8.8.8.8
server (Google DNS). DNS queries to all other servers should not succeed.
I added the following lines to /etc/pf.conf
file
anchor "com.xyz"
load anchor "com.xyz" from "/etc/pf.anchors/com.xyz"
and then I add the file com.xyz
to /etc/pf.anchors
folder. Content of the com.xyz
file are given below:
# Options
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization basic
set skip on lo0
pass out proto tcp from any to 8.8.8.8 port 53
pass out proto udp from any to 8.8.8.8 port 53
This is not working, I am able to access the internet with some other DNS server. Any suggestions why it is not working?
Best Answer
Your snippet looks good, although I suspect we're missing pieces. A minimalistic ruleset doing what you're looking for:
And in some cases, you may also need something like:
I assume you've already enabled IP forwarding?