[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains
Mark Felder
feld at FreeBSD.org
Tue Mar 7 14:51:31 UTC 2017
On Tue, Mar 7, 2017, at 08:43, Ian Smith wrote:
> On Tue, 7 Mar 2017 13:49:25 +0000, bugzilla-noreply at freebsd.org wrote:
> > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867
> >
> > Mark Felder <feld at FreeBSD.org> changed:
> >
> > What |Removed |Added
> > ----------------------------------------------------------------------------
> > CC| |feld at FreeBSD.org
> >
> > --- Comment #1 from Mark Felder <feld at FreeBSD.org> ---
> > Needs some testers, but this should fix it
> >
> > https://reviews.freebsd.org/D9920
>
> I've always used these rules from 'client' and 'simple' rulesets:
> ${fwcmd} add pass all from any to any frag
> which I long ago found essential to pass frags from zen.spamhaus.org
>
> I haven't used reass - nor DNSSEC - so can't really evaluate, nor test
> currently, so I won't pollute the bug report with what may be musing.
>
> However, looking at the review patch, I do wonder if the reass shouldn't
> precede, rather than follow, the check-state?
>
My pre-coffee brain said "UDP isn't stateful; should be fine to put this
after check-state". I didn't evaluate it further than that.
--
Mark Felder
ports-secteam & portmgr member
feld at FreeBSD.org
More information about the freebsd-ipfw
mailing list