From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 13 21:06:20 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 564D1106567B for ; Fri, 13 Mar 2009 21:06:20 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) Received: from smtp5.apollo.lv (smtp5.apollo.lv [80.232.168.197]) by mx1.freebsd.org (Postfix) with ESMTP id 11F7F8FC1E for ; Fri, 13 Mar 2009 21:06:19 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) Received: from [81.198.53.40] (unknown [81.198.53.40]) by smtp5.apollo.lv (Postfix) with ESMTP id 9BB8130E041 for ; Fri, 13 Mar 2009 22:47:20 +0200 (EET) From: Dmitriy Demidov To: freebsd-ipfw@freebsd.org Date: Fri, 13 Mar 2009 22:46:48 +0200 User-Agent: KMail/1.9.10 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200903132246.49159.dima_bsd@inbox.lv> X-Lattelecom-MailScanner-Information: Please contact the ISP for more information X-Lattelecom-MailScanner-ID: 9BB8130E041.A5552 X-Lattelecom-MailScanner: Found to be clean X-Lattelecom-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.806, required 5, BAYES_00 -2.60, RDNS_NONE 0.10, SPF_FAIL 0.69) X-Lattelecom-MailScanner-From: dima_bsd@inbox.lv X-Spam-Status: No Subject: keep-state rules inadequately handles big UDP packets or fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2009 21:06:20 -0000 Hi list. I'm using DNS cache server Unbound-1.2.1. I want to start using DNSSEC via DLV (unbound gracefully allows it). My system is FreeBSD7-STABLE. I'm using ipfw. Original ipfw configuration: add check-state add deny icmp from any to any frag add allow icmp from any to me icmptypes 0,3,11 add allow icmp from me to any out keep-state add allow tcp from me to any out keep-state add allow udp from me to any out keep-state add deny ip from any to any /etc/sysctl.conf net.inet.ip.fw.dyn_udp_lifetime=60 The problem is that Unbound can't do DNSSEC validation using this firewall configuration. It blames some thing like this: [1236970569] unbound[9096:3] info: resolving [1236970569] unbound[9096:3] info: failed to prime trust anchor -- could not fetch DNSKEY rrset [1236970569] unbound[9096:3] info: Could not establish a chain of trust to keys for Unbound starts working only then I put in ipfw this set of rules to handle all UDP packets outside from keep-state rules: add allow udp from any to any add check-state add deny icmp from any to any frag add allow icmp from any to me icmptypes 0,3,11 add allow icmp from me to any out keep-state add allow tcp from me to any out keep-state add allow udp from me to any out keep-state add deny ip from any to any It looks like dynamicaly created rules some how inadequately handles big UDP packets (DNSSEC answers are big). Is there any who can help to investigate this issue (looks like I can't do it myself)? Can it be ipfw related issue? Thanks.