Date: Mon, 14 Jul 2025 00:05:10 +0300 From: Christos Chatzaras <chris@cretaforce.gr> To: Michael Sierchio <kudzu@tenebras.com> Cc: freebsd-net <freebsd-net@freebsd.org>, FreeBSD Questions Mailing List <freebsd-questions@freebsd.org> Subject: Re: Issues with IPFW skipto Rule and Whitelisting Logic Message-ID: <63B90A81-5E73-43E3-B36B-788C35ABF798@cretaforce.gr> In-Reply-To: <CAHu1Y71cuy5sHEMMrZsAve%2B2RAn7ndQqf2jtm-gyFBS-PDEEiA@mail.gmail.com> References: <3A01EF48-EBE8-48C3-9C66-6A250A240341@cretaforce.gr> <CAHu1Y71cuy5sHEMMrZsAve%2B2RAn7ndQqf2jtm-gyFBS-PDEEiA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_17E48C32-EDDB-48E6-8A86-55A80E110E36 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 13 Jul 2025, at 23:55, Michael Sierchio <kudzu@tenebras.com> wrote: >=20 > I haven't had a chance to read this in detail, but=20 >=20 > what about UDP? Most DNS traffic is UDP. >=20 > And these lines are subtly wrong: >=20 > $cmd 10031 allow tcp from me to any dst-port 443 out via $pif setup = keep-state > $cmd 10033 allow tcp from any to me dst-port 443 in via $pif setup = keep-state >=20 > because 'via' causes these rules to catch packets twice as they're = processed by the kernel. IMHO these should be >=20 > $cmd 10031 allow tcp from me to any dst-port 443 out xmit $pif setup = keep-state > $cmd 10033 allow tcp from any to me dst-port 443 in recv $pif setup = keep-state >=20 > I'll have more comments when I get a chance to peruse fully. I left out unrelated lines to keep my question focused. For DNS traffic, I have: $cmd 10021 allow tcp from any to me dst-port 53 in via $pif setup = keep-state $cmd 10022 allow udp from any to me dst-port 53 in via $pif keep-state $cmd 10023 allow tcp from me to any dst-port 53 out via $pif setup = keep-state $cmd 10024 allow udp from me to any dst-port 53 out via $pif keep-state I=E2=80=99ll look into using xmit/recv as you suggested. Thanks for the = tip.= --Apple-Mail=_17E48C32-EDDB-48E6-8A86-55A80E110E36 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 <html><head><meta http-equiv=3D"content-type" content=3D"text/html; = charset=3Dutf-8"></head><body style=3D"overflow-wrap: break-word; = -webkit-nbsp-mode: space; line-break: = after-white-space;"><br><div><blockquote type=3D"cite"><div>On 13 Jul = 2025, at 23:55, Michael Sierchio <kudzu@tenebras.com> = wrote:</div><br class=3D"Apple-interchange-newline"><div><div = dir=3D"ltr">I haven't had a chance to read this in detail, but = <br><br>what about UDP? Most DNS traffic is UDP.<br><br>And these = lines are subtly wrong:<br><br><i>$cmd 10031 allow tcp from me to any = dst-port 443 out via $pif setup keep-state<br>$cmd 10033 allow tcp from = any to me dst-port 443 in via $pif setup = keep-state</i><div><i><br></i></div><div>because 'via' causes these = rules to catch packets twice as they're processed by the kernel. = IMHO these should be<br><br>$cmd 10031 allow tcp from me to any dst-port = 443 out xmit $pif setup keep-state<br>$cmd 10033 allow tcp from any to = me dst-port 443 in recv $pif setup = keep-state<br></div><div><br></div><div>I'll have more comments when I = get a chance to peruse fully.</div></div> </div></blockquote></div><br><div>I left out unrelated lines to keep my = question focused.<div><br></div><div>For DNS traffic, I = have:<br><br>$cmd 10021 allow tcp from any to me dst-port 53 in via $pif = setup keep-state<br>$cmd 10022 allow udp from any to me dst-port 53 in = via $pif keep-state<br>$cmd 10023 allow tcp from me to any dst-port 53 = out via $pif setup keep-state<br>$cmd 10024 allow udp from me to any = dst-port 53 out via $pif keep-state<br><br>I=E2=80=99ll look into using = xmit/recv as you suggested. Thanks for the = tip.</div></div></body></html>= --Apple-Mail=_17E48C32-EDDB-48E6-8A86-55A80E110E36--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?63B90A81-5E73-43E3-B36B-788C35ABF798>