From owner-freebsd-stable@FreeBSD.ORG Fri May 23 17:03:23 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6C3011D2 for ; Fri, 23 May 2014 17:03:23 +0000 (UTC) Received: from smtp2.wemm.org (smtp2.wemm.org [IPv6:2001:470:67:39d::78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp2.wemm.org", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 470E7219D for ; Fri, 23 May 2014 17:03:23 +0000 (UTC) Received: from [172.16.21.76] (50-204-120-225-static.hfc.comcastbusiness.net [50.204.120.225]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) (Authenticated sender: peter) by smtp2.wemm.org (Postfix) with ESMTPSA id 69863EB; Fri, 23 May 2014 10:03:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemm.org; s=m20140428; t=1400864602; bh=LX9dKLeG2WICt3L1kg/QDtaZyueiM6/zhkU1vuaifUk=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=ckMXJSoONM2hi7BUSiyz8af9VqrAdalaKDS58LlKTo2IukRoKYJBWdChcOEL5r1ax WQKHGtNJNl+icsgT7U1Y8V3M3tpr458IFXISir821ctuENK95oZEQqLfK59quSDnnq TNDIS0xshpcorfmUvT4fot0emmX+xOBiXq8lFguw= Message-ID: <537F7F5B.9090805@wemm.org> Date: Fri, 23 May 2014 10:03:23 -0700 From: Peter Wemm User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Rainer Duffner Subject: Re: What is your favourite/best firewall on FreeBSD and why? References: <20140520070926.GA92183@The.ie> <537CF293.5010508@sentex.net> <537E7F2F.1050903@wemm.org> <20140523102410.0f61fe0c@suse3.ewadmin.local> In-Reply-To: <20140523102410.0f61fe0c@suse3.ewadmin.local> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2014 17:03:23 -0000 On 5/23/14, 1:24 AM, Rainer Duffner wrote: > Am Thu, 22 May 2014 15:50:23 -0700 > schrieb Peter Wemm : > >> The main source of pain we have is that the pf in FreeBSD doesn't do >> ipv6 fragment processing. We had to work around this because we have >> public facing DNS servers behind it and they have to deal with ipv6 >> fragments. > > Hi, > > can you elaborate on this a bit more (without exposing the security of > the FreeBSD.org cluster)? > The reason I ask is that we're going to implement a new DNS soon'ish > and it will also need to serve IPV6. > It's planned to run pf on the nameservers directly. At least until we > have a commercial firewall that actually does IPV6 better than pf ;-) > > Or is there information on the web about this, somewhere? > IPv6 fragments are implemented quite differently to IPv4 - those can be a real menace. IPv4 fragments are allowed to overlap each other and rewrite previous fragments, including the header. IPv6 fragments are not allowed to overlap and the IPv6 part of the header is outside the fragment area. Unfortunately the TCP and UDP headers are included in the fragment area. How this affects DNS depends on whether you are doing resolving or serving zones. What we do for dns is use a dedicated IPv6 address that is exclusively used for DNS and allow IPv6 fragments to this address. Since fragment filtering can't specify ports, we effectively allow all-ports to this address. I set this up so that it should not be a problem and routinely check to make sure there's no unexpected listeners on that address. For dns servers, this is mostly a non-issue. For resolvers (particularly with things like Unbound), a large pool of stateless incoming ports is used so it would probably be prudent to use an exclusive address for this. If pf could reassemble IPv6 fragments to examine ports and state for these it'd be a lot nicer, but it doesn't in FreeBSD. Beware, DNSSEC causes very large packets and makes fragmentation an issue. -Peter