From owner-freebsd-ipfw@FreeBSD.ORG Sat Mar 14 14:38:19 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DD2A106564A for ; Sat, 14 Mar 2009 14:38:19 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from sunner.semmy.ru (sunner.semmy.ru [195.54.209.159]) by mx1.freebsd.org (Postfix) with ESMTP id 2DA8F8FC1B for ; Sat, 14 Mar 2009 14:38:19 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from [77.41.76.79] (helo=[172.16.100.19]) by sunner.semmy.ru with esmtpa (Exim 4.69 (FreeBSD)) (envelope-from ) id 1LiUTJ-0006ao-8y; Sat, 14 Mar 2009 17:04:17 +0300 Message-ID: <49BBB94A.7040208@FreeBSD.org> Date: Sat, 14 Mar 2009 17:03:54 +0300 From: Sergey Matveychuk User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Dmitriy Demidov References: <200903132246.49159.dima_bsd@inbox.lv> In-Reply-To: <200903132246.49159.dima_bsd@inbox.lv> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Mar 2009 14:38:19 -0000 Dmitriy Demidov wrote: > Unbound starts working only then I put in ipfw this set of rules to handle all UDP packets outside from keep-state rules: > add allow udp from any to any What if you add: add allow ip from any to any frag instead the line above? > add check-state > add deny icmp from any to any frag I'm not sure the line above is correct. > add allow icmp from any to me icmptypes 0,3,11 > add allow icmp from me to any out keep-state > add allow tcp from me to any out keep-state > add allow udp from me to any out keep-state > add deny ip from any to any > > It looks like dynamicaly created rules some how inadequately handles big UDP packets (DNSSEC answers are big). > Is there any who can help to investigate this issue (looks like I can't do it myself)? > Can it be ipfw related issue? -- Dixi. Sem.