From owner-freebsd-ipfw@freebsd.org  Tue Mar  7 15:27:34 2017
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 641C2D0136D
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Tue,  7 Mar 2017 15:27:34 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id DCAD21ABE;
 Tue,  7 Mar 2017 15:27:33 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from localhost (localhost [127.0.0.1])
 by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id v27FRUTk032763;
 Wed, 8 Mar 2017 02:27:30 +1100 (EST)
 (envelope-from smithi@nimnet.asn.au)
Date: Wed, 8 Mar 2017 02:27:29 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Mark Felder <feld@FreeBSD.org>
cc: Michael Sierchio <kudzu@tenebras.com>, freebsd-ipfw@FreeBSD.org
Subject: Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in
 DNS failure on freebsd.org domains
In-Reply-To: <1488897922.884989.903291024.2023FFB6@webmail.messagingengine.com>
Message-ID: <20170308015141.W87835@sola.nimnet.asn.au>
References: <bug-216867-7515@https.bugs.freebsd.org/bugzilla/>
 <bug-216867-7515-niEJ7KtnU7@https.bugs.freebsd.org/bugzilla/>
 <20170308013059.I87835@sola.nimnet.asn.au>
 <1488897922.884989.903291024.2023FFB6@webmail.messagingengine.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 15:27:34 -0000

On Tue, 7 Mar 2017 08:45:22 -0600, Mark Felder wrote:
 > On Tue, Mar 7, 2017, at 08:43, Ian Smith wrote:

 > >  > https://reviews.freebsd.org/D9920
 > > 
 > > I've always used these rules from 'client' and 'simple' rulesets:
 > > 	${fwcmd} add pass all from any to any frag
 > > which I long ago found essential to pass frags from zen.spamhaus.org
 > > 
 > > I haven't used reass - nor DNSSEC - so can't really evaluate, nor test 
 > > currently, so I won't pollute the bug report with what may be musing.
 > > 
 > > However, looking at the review patch, I do wonder if the reass shouldn't
 > > precede, rather than follow, the check-state?
 > > 
 > 
 > My pre-coffee brain said "UDP isn't stateful; should be fine to put this
 > after check-state". I didn't evaluate it further than that.

1) code, 2) coffee, 3) recode :-)

All DNS requests routed from LAN clients here run statefully, in an 
otherwise mostly static firewall, though not those issued by sendmail, 
which are those returning big fragmented UDP packets from spamhaus.org.

Again, I'm just reading how reass works, but I presume you'd want to 
pass the whole reassembled packet at check-state?

Michael seems to confirm.  Further, it's nothing but convention having 
check-state as the very first rule, whereas that is advised for reass.

cheers, Ian