Date: Wed, 22 Jun 2016 08:55:49 +0000 From: "C. L. Martinez" <carlopmart@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Strange behavior with DNS requests under FreeBSD 10.3 with pf enabled Message-ID: <20160622085549.GA7172@beagle.bcn.sia.es> In-Reply-To: <20160622075347.GA5205@beagle.bcn.sia.es> References: <20160622075347.GA5205@beagle.bcn.sia.es>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed 22.Jun'16 at 7:53:47 +0000, C. L. Martinez wrote: > Hi all, > > I have detected a stange behavior with my FreeBSD 10.3 (fully patched) PF based firewall. With some dns requests, pf denies the connection, but with others not. For example, if I do a query about www.oracle.com or www.microsfot.com for example, all works ok. But if I do a query about www.freebsd.org or www.openbsd.org, request is denied: > > 00:00:02.610710 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 52, id 23787, offset 0, flags [+], proto UDP (17), length 1492) > 8.8.8.8.53 > 172.30.77.2.50068: 5832$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain] > 00:00:27.493700 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 54, id 38872, offset 0, flags [+], proto UDP (17), length 1492) > 8.8.8.8.53 > 172.30.77.2.64953: 20142$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain] > 00:00:02.699902 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 52, id 41109, offset 0, flags [+], proto UDP (17), length 1492) > 8.8.8.8.53 > 172.30.77.2.59317: 29961$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain] > 00:00:27.482112 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 54, id 46875, offset 0, flags [+], proto UDP (17), length 1492) > 8.8.4.4.53 > 172.30.77.2.65447: 9845$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain] > 00:00:00.280886 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 54, id 12677, offset 0, flags [+], proto UDP (17), length 1492) > 8.8.8.8.53 > 172.30.77.2.58368: 4177$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain] > 00:00:02.421382 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 52, id 57858, offset 0, flags [+], proto UDP (17), length 1492) > 8.8.4.4.53 > 172.30.77.2.61071: 62867$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain] > > It is really strange. I am using an internal unbound dns cache server installed on a Debian host and I have configured Google's DNS servers, 8.8.8.8 and 8.8.4.4, as a forwarders. I have tried to disable these forwarders in unbound's config, but same error occurs. > > Any idea why?? > > Thanks. > -- > Greetings, > C. L. Martinez Ok, question solved. Problem was with my scrub rules. Adding: scrub all reassemble tcp fragment reassemble no-df random-id ... problem solved. Thanks. -- Greetings, C. L. Martinez
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160622085549.GA7172>