Date: Fri, 23 May 2014 10:03:23 -0700 From: Peter Wemm <peter@wemm.org> To: Rainer Duffner <rainer@ultra-secure.de> Cc: freebsd-stable@freebsd.org Subject: Re: What is your favourite/best firewall on FreeBSD and why? Message-ID: <537F7F5B.9090805@wemm.org> In-Reply-To: <20140523102410.0f61fe0c@suse3.ewadmin.local> References: <20140520070926.GA92183@The.ie> <537CF293.5010508@sentex.net> <537E7F2F.1050903@wemm.org> <20140523102410.0f61fe0c@suse3.ewadmin.local>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/23/14, 1:24 AM, Rainer Duffner wrote: > Am Thu, 22 May 2014 15:50:23 -0700 > schrieb Peter Wemm <peter@wemm.org>: > >> The main source of pain we have is that the pf in FreeBSD doesn't do >> ipv6 fragment processing. We had to work around this because we have >> public facing DNS servers behind it and they have to deal with ipv6 >> fragments. > > Hi, > > can you elaborate on this a bit more (without exposing the security of > the FreeBSD.org cluster)? > The reason I ask is that we're going to implement a new DNS soon'ish > and it will also need to serve IPV6. > It's planned to run pf on the nameservers directly. At least until we > have a commercial firewall that actually does IPV6 better than pf ;-) > > Or is there information on the web about this, somewhere? > IPv6 fragments are implemented quite differently to IPv4 - those can be a real menace. IPv4 fragments are allowed to overlap each other and rewrite previous fragments, including the header. IPv6 fragments are not allowed to overlap and the IPv6 part of the header is outside the fragment area. Unfortunately the TCP and UDP headers are included in the fragment area. How this affects DNS depends on whether you are doing resolving or serving zones. What we do for dns is use a dedicated IPv6 address that is exclusively used for DNS and allow IPv6 fragments to this address. Since fragment filtering can't specify ports, we effectively allow all-ports to this address. I set this up so that it should not be a problem and routinely check to make sure there's no unexpected listeners on that address. For dns servers, this is mostly a non-issue. For resolvers (particularly with things like Unbound), a large pool of stateless incoming ports is used so it would probably be prudent to use an exclusive address for this. If pf could reassemble IPv6 fragments to examine ports and state for these it'd be a lot nicer, but it doesn't in FreeBSD. Beware, DNSSEC causes very large packets and makes fragmentation an issue. -Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?537F7F5B.9090805>