[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains
Ian Smith
smithi at nimnet.asn.au
Tue Mar 7 15:27:34 UTC 2017
On Tue, 7 Mar 2017 08:45:22 -0600, Mark Felder wrote:
> On Tue, Mar 7, 2017, at 08:43, Ian Smith wrote:
> > > https://reviews.freebsd.org/D9920
> >
> > I've always used these rules from 'client' and 'simple' rulesets:
> > ${fwcmd} add pass all from any to any frag
> > which I long ago found essential to pass frags from zen.spamhaus.org
> >
> > I haven't used reass - nor DNSSEC - so can't really evaluate, nor test
> > currently, so I won't pollute the bug report with what may be musing.
> >
> > However, looking at the review patch, I do wonder if the reass shouldn't
> > precede, rather than follow, the check-state?
> >
>
> My pre-coffee brain said "UDP isn't stateful; should be fine to put this
> after check-state". I didn't evaluate it further than that.
1) code, 2) coffee, 3) recode :-)
All DNS requests routed from LAN clients here run statefully, in an
otherwise mostly static firewall, though not those issued by sendmail,
which are those returning big fragmented UDP packets from spamhaus.org.
Again, I'm just reading how reass works, but I presume you'd want to
pass the whole reassembled packet at check-state?
Michael seems to confirm. Further, it's nothing but convention having
check-state as the very first rule, whereas that is advised for reass.
cheers, Ian
More information about the freebsd-ipfw
mailing list