[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867 Rodney W. Grimeschanged: What|Removed |Added CC||rgri...@freebsd.org --- Comment #3 from Rodney W. Grimes --- (In reply to Helge Oldach from comment #2) In general the reass should come before any rule that might check a port number, as only the first packet, or a completly reassembled packet has a port number. So I agree it should be moved before the check state, and probably moved even much earlier. The other issue is that net.inet.ip.fw.one_pass must be turned on for this to work, that change requires further considerations and testing. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867 --- Comment #2 from Helge Oldach--- (In reply to Mark Felder from comment #1) Tested and works. However the reass should come *before* the check-state as fragments (except the first) don't include protocol and port numbers and thus cannot match check-state anyway. We need to reassemble first, then check-state will do the right thing. (It doesn't harm to implement as proposed, but we may save a few cycles if we reass first.) Furthermore, along the same line we should not only reassemble UDP but any IP packet (including IPv6), which is also suggested by ipfw(8) manpage: Usually a simple rule like: # reassemble incoming fragments ipfw add reass all from any to any in is all you need at the beginning of your ruleset. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains
On Tue, 7 Mar 2017 08:45:22 -0600, Mark Felder wrote: > On Tue, Mar 7, 2017, at 08:43, Ian Smith wrote: > > > https://reviews.freebsd.org/D9920 > > > > I've always used these rules from 'client' and 'simple' rulesets: > >${fwcmd} add pass all from any to any frag > > which I long ago found essential to pass frags from zen.spamhaus.org > > > > I haven't used reass - nor DNSSEC - so can't really evaluate, nor test > > currently, so I won't pollute the bug report with what may be musing. > > > > However, looking at the review patch, I do wonder if the reass shouldn't > > precede, rather than follow, the check-state? > > > > My pre-coffee brain said "UDP isn't stateful; should be fine to put this > after check-state". I didn't evaluate it further than that. 1) code, 2) coffee, 3) recode :-) All DNS requests routed from LAN clients here run statefully, in an otherwise mostly static firewall, though not those issued by sendmail, which are those returning big fragmented UDP packets from spamhaus.org. Again, I'm just reading how reass works, but I presume you'd want to pass the whole reassembled packet at check-state? Michael seems to confirm. Further, it's nothing but convention having check-state as the very first rule, whereas that is advised for reass. cheers, Ian ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains
On Tue, Mar 7, 2017 at 9:43 AM, Ian Smithwrote: However, looking at the review patch, I do wonder if the reass shouldn't > precede, rather than follow, the check-state? > > Absolutely, yes - fragments don't carry sub-protocol info. -- "Well," Brahma said, "even after ten thousand explanations, a fool is no wiser, but an intelligent person requires only two thousand five hundred." - The Mahābhārata ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains
On Tue, 7 Mar 2017 13:49:25 +, bugzilla-nore...@freebsd.org wrote: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867 > > Mark Felderchanged: > >What|Removed |Added > > CC||f...@freebsd.org > > --- Comment #1 from Mark Felder --- > Needs some testers, but this should fix it > > https://reviews.freebsd.org/D9920 I've always used these rules from 'client' and 'simple' rulesets: ${fwcmd} add pass all from any to any frag which I long ago found essential to pass frags from zen.spamhaus.org I haven't used reass - nor DNSSEC - so can't really evaluate, nor test currently, so I won't pollute the bug report with what may be musing. However, looking at the review patch, I do wonder if the reass shouldn't precede, rather than follow, the check-state? cheers, Ian ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867 Mark Felderchanged: What|Removed |Added CC||f...@freebsd.org --- Comment #1 from Mark Felder --- Needs some testers, but this should fix it https://reviews.freebsd.org/D9920 -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867 Mark Linimonchanged: What|Removed |Added CC|freebsd-am...@freebsd.org | Assignee|freebsd-b...@freebsd.org|freebsd-ipfw@FreeBSD.org -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"