From owner-freebsd-ipfw@freebsd.org  Tue Mar  7 14:52:08 2017
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 02797D0197F
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Tue,  7 Mar 2017 14:52:08 +0000 (UTC)
 (envelope-from kudzu@tenebras.com)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com
 [IPv6:2607:f8b0:400d:c09::236])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id AF2DB16A5
 for <freebsd-ipfw@freebsd.org>; Tue,  7 Mar 2017 14:52:07 +0000 (UTC)
 (envelope-from kudzu@tenebras.com)
Received: by mail-qk0-x236.google.com with SMTP id v125so7168772qkh.2
 for <freebsd-ipfw@freebsd.org>; Tue, 07 Mar 2017 06:52:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tenebras-com.20150623.gappssmtp.com; s=20150623;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=qqgINGfDjjffp3fTGfXE4Bdt7iMdaO3aho5Z388AeS8=;
 b=TQ4CMenlOYAADecDtxrIK5IYl1ye8z9G9Q9jmrLWhnYXVFaU3FBQZ+V+cYmuZNhGfc
 D4ZfYtN5yb1qkZdmS82LqcrMS7Y52fxiC/NWqJopsFO2Hm7gCKbRr51Q7fE+kUbTztcY
 6cHsDLIXhauVqD09yVDBwaqIf6TCzuEiGBnynA9J/rm22URP2G5WUGY6zLODIt8aWhUs
 tafPUlWsZ6MO7vrvPZMRSxMXjxPSgipfGnMHe73Lzakaw309wfNbZ1NOKDTHry4tgIrI
 /oVOs0Jp6V2ytvdIEjiNCbpbK2oGPaqwps0u2+2mNwSsrmxVKc61PdbzWfH+sQiRxGob
 9Hmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=qqgINGfDjjffp3fTGfXE4Bdt7iMdaO3aho5Z388AeS8=;
 b=uDgnEZ3OwFsnsCksKqa6ZCDxTT1i37xWQ0mZfmtgsDW61HsUJRSS+cLliWRCee2fYR
 Jg3sQPksImyTsLTfpCOJzOE3NizabTbdozJLaK4atVxu6GXNW4p/W5C2rZYCipsWMBDk
 mkY8zopKO7hxV6QDdnRbeQ7x8QGx4HYT4asTBPEVvr0v0IQ4y9e/wh7SD2XS4kXd89IR
 TJXJ68vzxzK4B89f515Vwf53MG+EX1+xpeRYzzG3I7CxTUZq3V7TH6mf+Hy2OwNWoFhl
 qVXcO3iR+gqIp+AfS0BeuXV/gCp0zlxEttto3sWyIgw2xxzkHVJndxOA5fMVfFiZYeL7
 hY3A==
X-Gm-Message-State: AMke39lB71OV0rRW05iEk/yFzdqWNEGCk3m6RFMavfOjixFaLDp5Os9otKTCukEbbQPdEjZSbKFNs1xX54pxPd5i
X-Received: by 10.55.20.131 with SMTP id 3mr815248qku.320.1488898326774; Tue,
 07 Mar 2017 06:52:06 -0800 (PST)
MIME-Version: 1.0
Received: by 10.200.39.182 with HTTP; Tue, 7 Mar 2017 06:52:06 -0800 (PST)
In-Reply-To: <20170308013059.I87835@sola.nimnet.asn.au>
References: <bug-216867-7515@https.bugs.freebsd.org/bugzilla/>
 <bug-216867-7515-niEJ7KtnU7@https.bugs.freebsd.org/bugzilla/>
 <20170308013059.I87835@sola.nimnet.asn.au>
From: Michael Sierchio <kudzu@tenebras.com>
Date: Tue, 7 Mar 2017 09:52:06 -0500
Message-ID: <CAHu1Y71bA4=WDwEPfWEhAwQd02AG4ksKCsZW8HCG+Ln+UrywQg@mail.gmail.com>
Subject: Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS
 failure on freebsd.org domains
To: Ian Smith <smithi@nimnet.asn.au>
Cc: Mark Felder <feld@freebsd.org>,
 "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 14:52:08 -0000

On Tue, Mar 7, 2017 at 9:43 AM, Ian Smith <smithi@nimnet.asn.au> wrote:

However, looking at the review patch, I do wonder if the reass shouldn't
> precede, rather than follow, the check-state?
>
>
Absolutely, yes - fragments don't carry sub-protocol info.


--=20
"Well," Brahma said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mah=C4=81bh=C4=81rata