Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 8 Mar 2017 02:27:29 +1100 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Mark Felder <feld@FreeBSD.org>
Cc:        Michael Sierchio <kudzu@tenebras.com>, freebsd-ipfw@FreeBSD.org
Subject:   Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains
Message-ID:  <20170308015141.W87835@sola.nimnet.asn.au>
In-Reply-To: <1488897922.884989.903291024.2023FFB6@webmail.messagingengine.com>
References:  <bug-216867-7515@https.bugs.freebsd.org/bugzilla/> <bug-216867-7515-niEJ7KtnU7@https.bugs.freebsd.org/bugzilla/> <20170308013059.I87835@sola.nimnet.asn.au> <1488897922.884989.903291024.2023FFB6@webmail.messagingengine.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Tue, 7 Mar 2017 08:45:22 -0600, Mark Felder wrote:
 > On Tue, Mar 7, 2017, at 08:43, Ian Smith wrote:

 > >  > https://reviews.freebsd.org/D9920
 > > 
 > > I've always used these rules from 'client' and 'simple' rulesets:
 > > 	${fwcmd} add pass all from any to any frag
 > > which I long ago found essential to pass frags from zen.spamhaus.org
 > > 
 > > I haven't used reass - nor DNSSEC - so can't really evaluate, nor test 
 > > currently, so I won't pollute the bug report with what may be musing.
 > > 
 > > However, looking at the review patch, I do wonder if the reass shouldn't
 > > precede, rather than follow, the check-state?
 > > 
 > 
 > My pre-coffee brain said "UDP isn't stateful; should be fine to put this
 > after check-state". I didn't evaluate it further than that.

1) code, 2) coffee, 3) recode :-)

All DNS requests routed from LAN clients here run statefully, in an 
otherwise mostly static firewall, though not those issued by sendmail, 
which are those returning big fragmented UDP packets from spamhaus.org.

Again, I'm just reading how reass works, but I presume you'd want to 
pass the whole reassembled packet at check-state?

Michael seems to confirm.  Further, it's nothing but convention having 
check-state as the very first rule, whereas that is advised for reass.

cheers, Ian



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20170308015141.W87835>