From owner-freebsd-ipfw@freebsd.org  Tue Mar  7 14:51:31 2017
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 23C93D017F7
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Tue,  7 Mar 2017 14:51:31 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com
 [66.111.4.25])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id F049A15C1
 for <freebsd-ipfw@FreeBSD.org>; Tue,  7 Mar 2017 14:51:30 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id EB0B9207EC;
 Tue,  7 Mar 2017 09:45:22 -0500 (EST)
Received: from web4 ([10.202.2.214])
 by compute3.internal (MEProxy); Tue, 07 Mar 2017 09:45:22 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=smtpout; bh=A8
 G+SHn1kX0FJQXLSKM9xJ2HYko=; b=sTghDwUQDo6RNAcmA7aaWqWr4Zg7AEOkWX
 u0LrhZILQIApjmWqEtKPw90vIYJyWF28gXqGWGQkK1yNX9ra+ocF9X15XfPBcteP
 VIqfJiT+FCgvWZ+Hp4JXfeselg6gWecmIpE+nYApDWcbOA7S+9l+560hWGxBx6Pr
 rfrZ4A5ZQ=
X-ME-Sender: <xms:gse-WF1NBgagh7G7Lv8UVj2n5SQJAyQ4KcS-1d8fCgFUwicFiNKc9A>
Received: by mailuser.nyi.internal (Postfix, from userid 99)
 id CCABFBAB57; Tue,  7 Mar 2017 09:45:22 -0500 (EST)
Message-Id: <1488897922.884989.903291024.2023FFB6@webmail.messagingengine.com>
From: Mark Felder <feld@FreeBSD.org>
To: Ian Smith <smithi@nimnet.asn.au>
Cc: freebsd-ipfw@FreeBSD.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-9f47d516
Date: Tue, 07 Mar 2017 08:45:22 -0600
In-Reply-To: <20170308013059.I87835@sola.nimnet.asn.au>
References: <bug-216867-7515@https.bugs.freebsd.org/bugzilla/>
 <bug-216867-7515-niEJ7KtnU7@https.bugs.freebsd.org/bugzilla/>
 <20170308013059.I87835@sola.nimnet.asn.au>
Subject: Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS
 failure on freebsd.org domains
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 14:51:31 -0000



On Tue, Mar 7, 2017, at 08:43, Ian Smith wrote:
> On Tue, 7 Mar 2017 13:49:25 +0000, bugzilla-noreply@freebsd.org wrote:
>  > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867
>  > 
>  > Mark Felder <feld@FreeBSD.org> changed:
>  > 
>  >            What    |Removed                     |Added
>  > ----------------------------------------------------------------------------
>  >                  CC|                            |feld@FreeBSD.org
>  > 
>  > --- Comment #1 from Mark Felder <feld@FreeBSD.org> ---
>  > Needs some testers, but this should fix it
>  > 
>  > https://reviews.freebsd.org/D9920
> 
> I've always used these rules from 'client' and 'simple' rulesets:
> 	${fwcmd} add pass all from any to any frag
> which I long ago found essential to pass frags from zen.spamhaus.org
> 
> I haven't used reass - nor DNSSEC - so can't really evaluate, nor test 
> currently, so I won't pollute the bug report with what may be musing.
> 
> However, looking at the review patch, I do wonder if the reass shouldn't
> precede, rather than follow, the check-state?
> 

My pre-coffee brain said "UDP isn't stateful; should be fine to put this
after check-state". I didn't evaluate it further than that.

-- 
  Mark Felder
  ports-secteam & portmgr member
  feld@FreeBSD.org