Date: Fri, 13 Mar 2009 22:46:48 +0200 From: Dmitriy Demidov <dima_bsd@inbox.lv> To: freebsd-ipfw@freebsd.org Subject: keep-state rules inadequately handles big UDP packets or fragmented IP packets? Message-ID: <200903132246.49159.dima_bsd@inbox.lv>
next in thread | raw e-mail | index | archive | help
Hi list. I'm using DNS cache server Unbound-1.2.1. I want to start using DNSSEC via DLV (unbound gracefully allows it). My system is FreeBSD7-STABLE. I'm using ipfw. Original ipfw configuration: add check-state add deny icmp from any to any frag add allow icmp from any to me icmptypes 0,3,11 add allow icmp from me to any out keep-state add allow tcp from me to any out keep-state add allow udp from me to any out keep-state add deny ip from any to any /etc/sysctl.conf net.inet.ip.fw.dyn_udp_lifetime=60 The problem is that Unbound can't do DNSSEC validation using this firewall configuration. It blames some thing like this: [1236970569] unbound[9096:3] info: resolving <dlv.isc.org. DNSKEY IN> [1236970569] unbound[9096:3] info: failed to prime trust anchor -- could not fetch DNSKEY rrset <dlv.isc.org. DNSKEY IN> [1236970569] unbound[9096:3] info: Could not establish a chain of trust to keys for <dlv.isc.org. DNSKEY IN> Unbound starts working only then I put in ipfw this set of rules to handle all UDP packets outside from keep-state rules: add allow udp from any to any add check-state add deny icmp from any to any frag add allow icmp from any to me icmptypes 0,3,11 add allow icmp from me to any out keep-state add allow tcp from me to any out keep-state add allow udp from me to any out keep-state add deny ip from any to any It looks like dynamicaly created rules some how inadequately handles big UDP packets (DNSSEC answers are big). Is there any who can help to investigate this issue (looks like I can't do it myself)? Can it be ipfw related issue? Thanks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200903132246.49159.dima_bsd>