Date: Mon, 14 Jul 2025 00:05:10 +0300 From: Christos Chatzaras <chris@cretaforce.gr> To: Michael Sierchio <kudzu@tenebras.com> Cc: freebsd-net <freebsd-net@freebsd.org>, FreeBSD Questions Mailing List <freebsd-questions@freebsd.org> Subject: Re: Issues with IPFW skipto Rule and Whitelisting Logic Message-ID: <63B90A81-5E73-43E3-B36B-788C35ABF798@cretaforce.gr> In-Reply-To: <CAHu1Y71cuy5sHEMMrZsAve%2B2RAn7ndQqf2jtm-gyFBS-PDEEiA@mail.gmail.com> References: <3A01EF48-EBE8-48C3-9C66-6A250A240341@cretaforce.gr> <CAHu1Y71cuy5sHEMMrZsAve%2B2RAn7ndQqf2jtm-gyFBS-PDEEiA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] > On 13 Jul 2025, at 23:55, Michael Sierchio <kudzu@tenebras.com> wrote: > > I haven't had a chance to read this in detail, but > > what about UDP? Most DNS traffic is UDP. > > And these lines are subtly wrong: > > $cmd 10031 allow tcp from me to any dst-port 443 out via $pif setup keep-state > $cmd 10033 allow tcp from any to me dst-port 443 in via $pif setup keep-state > > because 'via' causes these rules to catch packets twice as they're processed by the kernel. IMHO these should be > > $cmd 10031 allow tcp from me to any dst-port 443 out xmit $pif setup keep-state > $cmd 10033 allow tcp from any to me dst-port 443 in recv $pif setup keep-state > > I'll have more comments when I get a chance to peruse fully. I left out unrelated lines to keep my question focused. For DNS traffic, I have: $cmd 10021 allow tcp from any to me dst-port 53 in via $pif setup keep-state $cmd 10022 allow udp from any to me dst-port 53 in via $pif keep-state $cmd 10023 allow tcp from me to any dst-port 53 out via $pif setup keep-state $cmd 10024 allow udp from me to any dst-port 53 out via $pif keep-state I’ll look into using xmit/recv as you suggested. Thanks for the tip. [-- Attachment #2 --] <html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><br><div><blockquote type="cite"><div>On 13 Jul 2025, at 23:55, Michael Sierchio <kudzu@tenebras.com> wrote:</div><br class="Apple-interchange-newline"><div><div dir="ltr">I haven't had a chance to read this in detail, but <br><br>what about UDP? Most DNS traffic is UDP.<br><br>And these lines are subtly wrong:<br><br><i>$cmd 10031 allow tcp from me to any dst-port 443 out via $pif setup keep-state<br>$cmd 10033 allow tcp from any to me dst-port 443 in via $pif setup keep-state</i><div><i><br></i></div><div>because 'via' causes these rules to catch packets twice as they're processed by the kernel. IMHO these should be<br><br>$cmd 10031 allow tcp from me to any dst-port 443 out xmit $pif setup keep-state<br>$cmd 10033 allow tcp from any to me dst-port 443 in recv $pif setup keep-state<br></div><div><br></div><div>I'll have more comments when I get a chance to peruse fully.</div></div> </div></blockquote></div><br><div>I left out unrelated lines to keep my question focused.<div><br></div><div>For DNS traffic, I have:<br><br>$cmd 10021 allow tcp from any to me dst-port 53 in via $pif setup keep-state<br>$cmd 10022 allow udp from any to me dst-port 53 in via $pif keep-state<br>$cmd 10023 allow tcp from me to any dst-port 53 out via $pif setup keep-state<br>$cmd 10024 allow udp from me to any dst-port 53 out via $pif keep-state<br><br>I’ll look into using xmit/recv as you suggested. Thanks for the tip.</div></div></body></html>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?63B90A81-5E73-43E3-B36B-788C35ABF798>