Date: Fri, 13 Mar 2009 22:43:27 +0100 From: Luigi Rizzo <rizzo@iet.unipi.it> To: Dmitriy Demidov <dima_bsd@inbox.lv> Cc: freebsd-ipfw@freebsd.org Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? Message-ID: <20090313214327.GA1675@onelab2.iet.unipi.it> In-Reply-To: <200903132246.49159.dima_bsd@inbox.lv> References: <200903132246.49159.dima_bsd@inbox.lv>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 13, 2009 at 10:46:48PM +0200, Dmitriy Demidov wrote: > Hi list. > > I'm using DNS cache server Unbound-1.2.1. I want to start using DNSSEC via DLV (unbound gracefully allows it). > My system is FreeBSD7-STABLE. I'm using ipfw. > > Original ipfw configuration: > add check-state > add deny icmp from any to any frag > add allow icmp from any to me icmptypes 0,3,11 > add allow icmp from me to any out keep-state > add allow tcp from me to any out keep-state > add allow udp from me to any out keep-state > add deny ip from any to any > > /etc/sysctl.conf > net.inet.ip.fw.dyn_udp_lifetime=60 > > The problem is that Unbound can't do DNSSEC validation using this firewall configuration. It blames some thing like this: > [1236970569] unbound[9096:3] info: resolving <dlv.isc.org. DNSKEY IN> > [1236970569] unbound[9096:3] info: failed to prime trust anchor -- could not fetch DNSKEY rrset <dlv.isc.org. DNSKEY IN> > [1236970569] unbound[9096:3] info: Could not establish a chain of trust to keys for <dlv.isc.org. DNSKEY IN> > > Unbound starts working only then I put in ipfw this set of rules to handle all UDP packets outside from keep-state rules: > add allow udp from any to any > add check-state > add deny icmp from any to any frag > add allow icmp from any to me icmptypes 0,3,11 > add allow icmp from me to any out keep-state > add allow tcp from me to any out keep-state > add allow udp from me to any out keep-state > add deny ip from any to any > > It looks like dynamicaly created rules some how inadequately handles big UDP packets (DNSSEC answers are big). > Is there any who can help to investigate this issue (looks like I can't do it myself)? > Can it be ipfw related issue? it is not related to dynamic rules, but to the fact that that the firewall is called before reassembling packets. The info (port numbers especially) is not available in the fragments so the firewall cannot do anything. The only solution would be to call the firewall after reassembly. I am not sure if there is any work in progress for that. cheers luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090313214327.GA1675>