Re: Issues with IPFW skipto Rule and Whitelisting Logic

In reply to: Michael Sierchio : "Re: Issues with IPFW skipto Rule and Whitelisting Logic"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Christos Chatzaras <chris_at_cretaforce.gr>
Date: Sun, 13 Jul 2025 21:05:10 UTC

> On 13 Jul 2025, at 23:55, Michael Sierchio <kudzu@tenebras.com> wrote:
> 
> I haven't had a chance to read this in detail, but 
> 
> what about UDP?  Most DNS traffic is UDP.
> 
> And these lines are subtly wrong:
> 
> $cmd 10031 allow tcp from me to any dst-port 443 out via $pif setup keep-state
> $cmd 10033 allow tcp from any to me dst-port 443 in via $pif setup keep-state
> 
> because 'via' causes these rules to catch packets twice as they're processed by the kernel.  IMHO these should be
> 
> $cmd 10031 allow tcp from me to any dst-port 443 out xmit $pif setup keep-state
> $cmd 10033 allow tcp from any to me dst-port 443 in recv $pif setup keep-state
> 
> I'll have more comments when I get a chance to peruse fully.

I left out unrelated lines to keep my question focused.

For DNS traffic, I have:

$cmd 10021 allow tcp from any to me dst-port 53 in via $pif setup keep-state
$cmd 10022 allow udp from any to me dst-port 53 in via $pif keep-state
$cmd 10023 allow tcp from me to any dst-port 53 out via $pif setup keep-state
$cmd 10024 allow udp from me to any dst-port 53 out via $pif keep-state

I’ll look into using xmit/recv as you suggested. Thanks for the tip.