[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains
Ian Smith
smithi at nimnet.asn.au
Tue Mar 7 14:43:24 UTC 2017
On Tue, 7 Mar 2017 13:49:25 +0000, bugzilla-noreply at freebsd.org wrote:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867
>
> Mark Felder <feld at FreeBSD.org> changed:
>
> What |Removed |Added
> ----------------------------------------------------------------------------
> CC| |feld at FreeBSD.org
>
> --- Comment #1 from Mark Felder <feld at FreeBSD.org> ---
> Needs some testers, but this should fix it
>
> https://reviews.freebsd.org/D9920
I've always used these rules from 'client' and 'simple' rulesets:
${fwcmd} add pass all from any to any frag
which I long ago found essential to pass frags from zen.spamhaus.org
I haven't used reass - nor DNSSEC - so can't really evaluate, nor test
currently, so I won't pollute the bug report with what may be musing.
However, looking at the review patch, I do wonder if the reass shouldn't
precede, rather than follow, the check-state?
cheers, Ian
More information about the freebsd-ipfw
mailing list