From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 13 21:38:13 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 743EA1065670 for ; Fri, 13 Mar 2009 21:38:13 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.9.129]) by mx1.freebsd.org (Postfix) with ESMTP id 3A75F8FC12 for ; Fri, 13 Mar 2009 21:38:13 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id CE1AE73098; Fri, 13 Mar 2009 22:43:27 +0100 (CET) Date: Fri, 13 Mar 2009 22:43:27 +0100 From: Luigi Rizzo To: Dmitriy Demidov Message-ID: <20090313214327.GA1675@onelab2.iet.unipi.it> References: <200903132246.49159.dima_bsd@inbox.lv> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200903132246.49159.dima_bsd@inbox.lv> User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2009 21:38:13 -0000 On Fri, Mar 13, 2009 at 10:46:48PM +0200, Dmitriy Demidov wrote: > Hi list. > > I'm using DNS cache server Unbound-1.2.1. I want to start using DNSSEC via DLV (unbound gracefully allows it). > My system is FreeBSD7-STABLE. I'm using ipfw. > > Original ipfw configuration: > add check-state > add deny icmp from any to any frag > add allow icmp from any to me icmptypes 0,3,11 > add allow icmp from me to any out keep-state > add allow tcp from me to any out keep-state > add allow udp from me to any out keep-state > add deny ip from any to any > > /etc/sysctl.conf > net.inet.ip.fw.dyn_udp_lifetime=60 > > The problem is that Unbound can't do DNSSEC validation using this firewall configuration. It blames some thing like this: > [1236970569] unbound[9096:3] info: resolving > [1236970569] unbound[9096:3] info: failed to prime trust anchor -- could not fetch DNSKEY rrset > [1236970569] unbound[9096:3] info: Could not establish a chain of trust to keys for > > Unbound starts working only then I put in ipfw this set of rules to handle all UDP packets outside from keep-state rules: > add allow udp from any to any > add check-state > add deny icmp from any to any frag > add allow icmp from any to me icmptypes 0,3,11 > add allow icmp from me to any out keep-state > add allow tcp from me to any out keep-state > add allow udp from me to any out keep-state > add deny ip from any to any > > It looks like dynamicaly created rules some how inadequately handles big UDP packets (DNSSEC answers are big). > Is there any who can help to investigate this issue (looks like I can't do it myself)? > Can it be ipfw related issue? it is not related to dynamic rules, but to the fact that that the firewall is called before reassembling packets. The info (port numbers especially) is not available in the fragments so the firewall cannot do anything. The only solution would be to call the firewall after reassembly. I am not sure if there is any work in progress for that. cheers luigi