subject:"\[Bug 216867\] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains"

[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

2018-03-11 Thread bugzilla-noreply

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867

Rodney W. Grimes  changed:

   What|Removed |Added

 CC||rgri...@freebsd.org

--- Comment #3 from Rodney W. Grimes  ---
(In reply to Helge Oldach from comment #2)

In general the reass should come before any rule that might check
a port number, as only the first packet, or a completly reassembled
packet has a port number.

So I agree it should be moved before the check state, and probably
moved even much earlier.

The other issue is that net.inet.ip.fw.one_pass must be turned on
for this to work, that change requires further considerations and
testing.

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

2018-03-11 Thread bugzilla-noreply

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867

--- Comment #2 from Helge Oldach  ---
(In reply to Mark Felder from comment #1)
Tested and works.

However the reass should come *before* the check-state as fragments (except the
first) don't include protocol and port numbers and thus cannot match
check-state anyway. We need to reassemble first, then check-state will do the
right thing. (It doesn't harm to implement as proposed, but we may save a few
cycles if we reass first.)

Furthermore, along the same line we should not only reassemble UDP but any IP
packet (including IPv6), which is also suggested by ipfw(8) manpage:

 Usually a simple rule like:

   # reassemble incoming fragments
   ipfw add reass all from any to any in

 is all you need at the beginning of your ruleset.

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

2017-03-07 Thread Ian Smith

On Tue, 7 Mar 2017 08:45:22 -0600, Mark Felder wrote:
 > On Tue, Mar 7, 2017, at 08:43, Ian Smith wrote:

 > >  > https://reviews.freebsd.org/D9920
 > > 
 > > I've always used these rules from 'client' and 'simple' rulesets:
 > >${fwcmd} add pass all from any to any frag
 > > which I long ago found essential to pass frags from zen.spamhaus.org
 > > 
 > > I haven't used reass - nor DNSSEC - so can't really evaluate, nor test 
 > > currently, so I won't pollute the bug report with what may be musing.
 > > 
 > > However, looking at the review patch, I do wonder if the reass shouldn't
 > > precede, rather than follow, the check-state?
 > > 
 > 
 > My pre-coffee brain said "UDP isn't stateful; should be fine to put this
 > after check-state". I didn't evaluate it further than that.

1) code, 2) coffee, 3) recode :-)

All DNS requests routed from LAN clients here run statefully, in an 
otherwise mostly static firewall, though not those issued by sendmail, 
which are those returning big fragmented UDP packets from spamhaus.org.

Again, I'm just reading how reass works, but I presume you'd want to 
pass the whole reassembled packet at check-state?

Michael seems to confirm.  Further, it's nothing but convention having 
check-state as the very first rule, whereas that is advised for reass.

cheers, Ian
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

2017-03-07 Thread Michael Sierchio

On Tue, Mar 7, 2017 at 9:43 AM, Ian Smith  wrote:

However, looking at the review patch, I do wonder if the reass shouldn't
> precede, rather than follow, the check-state?
>
>
Absolutely, yes - fragments don't carry sub-protocol info.


-- 
"Well," Brahma said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mahābhārata
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

2017-03-07 Thread Ian Smith

On Tue, 7 Mar 2017 13:49:25 +, bugzilla-nore...@freebsd.org wrote:
 > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867
 > 
 > Mark Felder  changed:
 > 
 >What|Removed |Added
 > 
 >  CC||f...@freebsd.org
 > 
 > --- Comment #1 from Mark Felder  ---
 > Needs some testers, but this should fix it
 > 
 > https://reviews.freebsd.org/D9920

I've always used these rules from 'client' and 'simple' rulesets:
${fwcmd} add pass all from any to any frag
which I long ago found essential to pass frags from zen.spamhaus.org

I haven't used reass - nor DNSSEC - so can't really evaluate, nor test 
currently, so I won't pollute the bug report with what may be musing.

However, looking at the review patch, I do wonder if the reass shouldn't
precede, rather than follow, the check-state?

cheers, Ian
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

2017-03-07 Thread bugzilla-noreply

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867

Mark Felder  changed:

   What|Removed |Added

 CC||f...@freebsd.org

--- Comment #1 from Mark Felder  ---
Needs some testers, but this should fix it

https://reviews.freebsd.org/D9920

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

2017-02-08 Thread bugzilla-noreply

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867

Mark Linimon  changed:

   What|Removed |Added

 CC|freebsd-am...@freebsd.org   |
   Assignee|freebsd-b...@freebsd.org|freebsd-ipfw@FreeBSD.org

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

7 matches

Site Navigation

Mail list logo

Footer information