From owner-freebsd-questions@freebsd.org Wed Jun 22 08:56:01 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0622FAC48F7 for ; Wed, 22 Jun 2016 08:56:01 +0000 (UTC) (envelope-from carlopmart@gmail.com) Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 840C61C14 for ; Wed, 22 Jun 2016 08:56:00 +0000 (UTC) (envelope-from carlopmart@gmail.com) Received: by mail-lf0-x231.google.com with SMTP id q132so66964361lfe.3 for ; Wed, 22 Jun 2016 01:56:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=leC2hCLSz+d4GkshDnRfyLbG+VtFu5ky8BGpbY4cKKI=; b=nNJUTct5UYPfpDxAb0qKgWQo+faMOdCSpHVRvZTyR2t/KtUpcSpc+w+w57cPnEBrH7 MAKvdfFsWa4zG5nUdsr1JWJM3Hsr4Jm8KbuSaMl0vLQvKZWfIwNyZtxmMQuKYqfr7qmG DB+pVbkVnn2RVSWFJb7L84L9FbjtxWK49EXxIyPtD8EeyDXERNfnswoh6iyunUGf3AHV IL6hQPmxmB2dgWQLROvcR/gqe5LJUMSbQiPe5/XRESaUaEGJyRmpwbm2Wdw+Bc2c2p5M ZAL+NR0L7FjR5IbpnAOVrt52u89TGHHtQZckz1sFj1yQ6eMoDTwWb/K1hwncTi5oK2zT BMlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=leC2hCLSz+d4GkshDnRfyLbG+VtFu5ky8BGpbY4cKKI=; b=b1azVjS34dDNhgMYg9BOkmwmQqN8vwAlBry4QYjfZSlZVf/DYc4jBFXBT8DNP8YnaJ TKUu3DTelmo2qm/hD4OcFjzZRHR/IqrYHAa6jD+7Dn4ARPGcHs2ybTc1U3aVLO7G7+/y OvenWRcdlAVIPNfDXV3CmUGBkLLbIlsEDRYJUR7Ze7fwP4iXzeVnfKmQzMKnpwxpC0ia FDyHxLF6c3glIkbc3FTvt9ftKjLapWCTgFu2EjvfKn3e0G+uo+wqq5X4KJYl1+CQqkEA DzyGFPrkHxHJHVhrHvBfMB/XNBeAG4RnuGZZNf6vzkYWHYuHIndzIPVc3MYOywcwcuxZ +bdg== X-Gm-Message-State: ALyK8tJXr8X13RsL/rjP915wMnP9v/zh2zFPflJMCN7a24j7kQP8XwkOqfUWJjgs9vyDyg== X-Received: by 10.194.178.199 with SMTP id da7mr23513181wjc.123.1466585757222; Wed, 22 Jun 2016 01:55:57 -0700 (PDT) Received: from beagle.bcn.sia.es (132.red-79-154-242.dynamicip.rima-tde.net. [79.154.242.132]) by smtp.gmail.com with ESMTPSA id w188sm1875345wmw.11.2016.06.22.01.55.55 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 22 Jun 2016 01:55:56 -0700 (PDT) Date: Wed, 22 Jun 2016 08:55:49 +0000 From: "C. L. Martinez" To: freebsd-questions@freebsd.org Subject: Re: Strange behavior with DNS requests under FreeBSD 10.3 with pf enabled Message-ID: <20160622085549.GA7172@beagle.bcn.sia.es> References: <20160622075347.GA5205@beagle.bcn.sia.es> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20160622075347.GA5205@beagle.bcn.sia.es> User-Agent: Mutt/1.6.0 (2016-04-01) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2016 08:56:01 -0000 On Wed 22.Jun'16 at 7:53:47 +0000, C. L. Martinez wrote: > Hi all, > > I have detected a stange behavior with my FreeBSD 10.3 (fully patched) PF based firewall. With some dns requests, pf denies the connection, but with others not. For example, if I do a query about www.oracle.com or www.microsfot.com for example, all works ok. But if I do a query about www.freebsd.org or www.openbsd.org, request is denied: > > 00:00:02.610710 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 52, id 23787, offset 0, flags [+], proto UDP (17), length 1492) > 8.8.8.8.53 > 172.30.77.2.50068: 5832$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain] > 00:00:27.493700 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 54, id 38872, offset 0, flags [+], proto UDP (17), length 1492) > 8.8.8.8.53 > 172.30.77.2.64953: 20142$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain] > 00:00:02.699902 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 52, id 41109, offset 0, flags [+], proto UDP (17), length 1492) > 8.8.8.8.53 > 172.30.77.2.59317: 29961$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain] > 00:00:27.482112 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 54, id 46875, offset 0, flags [+], proto UDP (17), length 1492) > 8.8.4.4.53 > 172.30.77.2.65447: 9845$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain] > 00:00:00.280886 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 54, id 12677, offset 0, flags [+], proto UDP (17), length 1492) > 8.8.8.8.53 > 172.30.77.2.58368: 4177$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain] > 00:00:02.421382 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 52, id 57858, offset 0, flags [+], proto UDP (17), length 1492) > 8.8.4.4.53 > 172.30.77.2.61071: 62867$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain] > > It is really strange. I am using an internal unbound dns cache server installed on a Debian host and I have configured Google's DNS servers, 8.8.8.8 and 8.8.4.4, as a forwarders. I have tried to disable these forwarders in unbound's config, but same error occurs. > > Any idea why?? > > Thanks. > -- > Greetings, > C. L. Martinez Ok, question solved. Problem was with my scrub rules. Adding: scrub all reassemble tcp fragment reassemble no-df random-id ... problem solved. Thanks. -- Greetings, C. L. Martinez