Date: Wed, 8 Mar 2017 01:43:19 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: feld@FreeBSD.org Cc: freebsd-ipfw@FreeBSD.org Subject: Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains Message-ID: <20170308013059.I87835@sola.nimnet.asn.au> In-Reply-To: <bug-216867-7515-niEJ7KtnU7@https.bugs.freebsd.org/bugzilla/> References: <bug-216867-7515@https.bugs.freebsd.org/bugzilla/> <bug-216867-7515-niEJ7KtnU7@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 7 Mar 2017 13:49:25 +0000, bugzilla-noreply@freebsd.org wrote: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867 > > Mark Felder <feld@FreeBSD.org> changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > CC| |feld@FreeBSD.org > > --- Comment #1 from Mark Felder <feld@FreeBSD.org> --- > Needs some testers, but this should fix it > > https://reviews.freebsd.org/D9920 I've always used these rules from 'client' and 'simple' rulesets: ${fwcmd} add pass all from any to any frag which I long ago found essential to pass frags from zen.spamhaus.org I haven't used reass - nor DNSSEC - so can't really evaluate, nor test currently, so I won't pollute the bug report with what may be musing. However, looking at the review patch, I do wonder if the reass shouldn't precede, rather than follow, the check-state? cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170308013059.I87835>