From owner-freebsd-questions@freebsd.org  Sun Dec  8 17:11:34 2019
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 40C3D1E9C54
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Sun,  8 Dec 2019 17:11:34 +0000 (UTC)
 (envelope-from starikarp@dismail.de)
Received: from mx2.dismail.de (mx2.dismail.de [159.69.191.136])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx2.dismail.de", Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 47WCXj22v9z4QxV
 for <freebsd-questions@freebsd.org>; Sun,  8 Dec 2019 17:11:32 +0000 (UTC)
 (envelope-from starikarp@dismail.de)
Received: from mx2.dismail.de (localhost [127.0.0.1])
 by mx2.dismail.de (OpenSMTPD) with ESMTP id 778dd314
 for <freebsd-questions@freebsd.org>;
 Sun, 8 Dec 2019 18:11:30 +0100 (CET)
Received: from smtp2.dismail.de (<unknown> [10.240.26.12])
 by mx2.dismail.de (OpenSMTPD) with ESMTP id 441907d6
 for <freebsd-questions@freebsd.org>;
 Sun, 8 Dec 2019 18:11:30 +0100 (CET)
Received: from smtp2.dismail.de (localhost [127.0.0.1])
 by smtp2.dismail.de (OpenSMTPD) with ESMTP id 06683075
 for <freebsd-questions@freebsd.org>;
 Sun, 8 Dec 2019 18:11:30 +0100 (CET)
Received: by dismail.de (OpenSMTPD) with ESMTPSA id 69a335af
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO)
 for <freebsd-questions@freebsd.org>;
 Sun, 8 Dec 2019 18:11:30 +0100 (CET)
Date: Sun, 8 Dec 2019 12:11:25 -0500
From: <starikarp@dismail.de>
To: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: ipfw for unbound
Message-ID: <20191208121125.4ec7e9e8@dismail.de>
X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; amd64-portbld-freebsd12.0)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 47WCXj22v9z4QxV
X-Spamd-Bar: ------
X-Spamd-Result: default: False [-6.77 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[dismail.de:s=20190914];
 IP_SCORE(-2.07)[ip: (-9.91), ipnet: 159.69.0.0/16(1.16), asn: 24940(-1.59),
 country: DE(-0.01)]; R_SPF_ALLOW(-0.20)[+ip4:159.69.191.136];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCPT_COUNT_ONE(0.00)[1];
 DWL_DNSWL_LOW(-1.00)[dismail.de.dwl.dnswl.org : 127.0.5.1];
 RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[];
 RCVD_IN_DNSWL_MED(-0.20)[136.191.69.159.list.dnswl.org : 127.0.5.2];
 DKIM_TRACE(0.00)[dismail.de:+]; FROM_NO_DN(0.00)[];
 DMARC_POLICY_ALLOW(-0.50)[dismail.de,reject];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[];
 ASN(0.00)[asn:24940, ipnet:159.69.0.0/16, country:DE];
 MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Dec 2019 17:11:34 -0000

Hi!

I have unbound installed on the single, desktop computer with FreeBSD
12.1-RELEASE and settings for DNS over TLS which works. I am runing
IPFW firewall and I had(have) in my rules for DNS:

cmd 01250 allow udp from any to 84.242.218.68 853 out via $pif
keep-state $cmd 01300 allow tcp from any to 84.242.218.68 853 out via
$pif setup keep-state

In unbound.conf I have 5 different forward-addresses.
And in /etc/resolv.conf I have nameserver 127.0.0.1.

I thought that
$cmd 11027 allow udp from any to me dst-port 853 keep-state
$cmd 11028 allow tcp from any to me dst-port 853 setup keep-state

will works but it doesn't. Should I allow each address than, please?

Thank you.
--=20
=E2=80=9Cgood people do not need laws to tell them to act responsibly, while
bad people will find a way around the laws=E2=80=9D=20

Plato