Date: Mon, 14 Jul 2025 02:07:09 +0300 From: Christos Chatzaras <chris@cretaforce.gr> To: Vadim Goncharov <vadimnuclight@gmail.com> Cc: freebsd-net <freebsd-net@freebsd.org>, FreeBSD Questions Mailing List <freebsd-questions@freebsd.org> Subject: Re: Issues with IPFW skipto Rule and Whitelisting Logic Message-ID: <BE359828-592D-4ECA-9F19-1D58AA707461@cretaforce.gr> In-Reply-To: <20250714001805.073389b5@nuclight.lan> References: <3A01EF48-EBE8-48C3-9C66-6A250A240341@cretaforce.gr> <BFBEBAE0-E768-4E8D-9DB6-0AAD9D0EF931@cretaforce.gr> <20250714001805.073389b5@nuclight.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_7DEEF7F4-E742-4108-8382-45BCD2686BC1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 >=20 > Did you try to remove `-q` from all your scripts and see if there are = errors? > May be something in dmesg? Adding another log rules for your test IP? = tcpdump? >=20 > --=20 > WBR, @nuclight ipfw -q add 00032 count log logamount 0 ip from 175.178.0.0/16 to any After that, I checked /var/log/security while trying to connect from = 175.178.167.241 (I can only use a web interface they provide me to test = the connection). During these tests, I saw DNS requests coming from = 175.178.254.144 and 175.178.136.250 to port 53, which I assume are their = DNS resolvers. Once I added those two IPs to table(3), I could no longer = reproduce the issue. I will test again tomorrow, but I=E2=80=99m now = quite sure the real problem was DNS resolution failing because those = resolver IPs were blocked.= --Apple-Mail=_7DEEF7F4-E742-4108-8382-45BCD2686BC1 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 <html><head><meta http-equiv=3D"content-type" content=3D"text/html; = charset=3Dutf-8"></head><body style=3D"overflow-wrap: break-word; = -webkit-nbsp-mode: space; line-break: = after-white-space;"><br><div><blockquote type=3D"cite"><br>Did you try = to remove `-q` from all your scripts and see if there are errors?<br>May = be something in dmesg? Adding another log rules for your test IP? = tcpdump?<br><br>-- <br>WBR, = @nuclight<br></blockquote></div><div><br></div><div><p class=3D"p1" = style=3D"font-family: -apple-system-font;">ipfw -q add 00032 count log = logamount 0 ip from 175.178.0.0/16 to any</p><p class=3D"p1">After that, = I checked <span class=3D"s1">/var/log/security</span> while = trying to connect from 175.178.167.241 (I can only use a web interface = they provide me to test the connection). During these tests, I saw DNS = requests coming from 175.178.254.144 and 175.178.136.250 to port 53, = which I assume are their DNS resolvers. Once I added those two IPs to = table(3), I could no longer reproduce the issue. I will test again = tomorrow, but I=E2=80=99m now quite sure the real problem was DNS = resolution failing because those resolver IPs were = blocked.</p></div></body></html>= --Apple-Mail=_7DEEF7F4-E742-4108-8382-45BCD2686BC1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BE359828-592D-4ECA-9F19-1D58AA707461>