IPFW EDNS issue

In dnsviz I get the following errors on a DNSSec enabled domain:

Code:
No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size.

and

Code:
No response was received from the server over UDP (tried 4 times)

According to my "google research", this must be caused due to IPFW limiting the UDP packets to 512 bytes while EDNS requires 4096.

Indeed - stopping the firewall solves the issue.

Here is my ipfw.rules file:

Code:
#!/bin/sh
#################################################
# ipfw Firewall Commands
#################################################
cmd="ipfw -q add"
ipfw -q -f flush
pif="em0"

#################################################
# Allow Loopback and Deny Loopback Spoofing
#################################################
$cmd allow all from any to any via lo0
$cmd deny all from any to 127.0.0.0/8
$cmd deny all from 127.0.0.0/8 to any
$cmd deny tcp from any to any frag
$cmd reass udp from any to any in

#################################################
# Stateful rules
#################################################
$cmd check-state
$cmd deny tcp from any to any established
$cmd allow all from any to any out keep-state
$cmd allow icmp from any to any

#################################################
# Table 10 for IP blocks
#################################################
ipfw -q table 10 add 127.0.0.2
ipfw -q add 900 deny ip from 'table(10)' to any

#################################################
# Incoming/Outgoing Services
#################################################
$cmd 60001 allow tcp from any to any 21 setup limit src-addr 10
$cmd 60002 allow tcp from any to any 22 setup limit src-addr 8
$cmd 60003 allow tcp from any to any 25 setup limit src-addr 10
$cmd 60004 allow tcp from any to any 587 setup limit src-addr 20
$cmd 60005 allow tcp from any to any 53 setup limit src-addr 10
$cmd 60006 allow udp from any to any 53 limit src-addr 10
$cmd 60007 allow tcp from any to any 80 setup limit src-addr 30
$cmd 60008 allow tcp from any to any 110 setup limit src-addr 30
$cmd 60009 allow tcp from any to any 143 setup limit src-addr 20
$cmd 60010 allow tcp from any to any 443 setup limit src-addr 10
$cmd 60011 allow tcp from any to any 2222 setup limit src-addr 12
$cmd 60012 allow tcp from any to any 35000-35999 in setup limit src-addr 50
$cmd 60013 allow tcp from any to any 993 setup limit src-addr 20
$cmd 60014 allow tcp from any to any 995 setup limit src-addr 10
$cmd 60015 allow tcp from any to any 465 setup limit src-addr 10
$cmd 60016 allow tcp from any to any 585 setup limit src-addr 10
$cmd 60017 allow tcp from 127.0.0.1 to any 3310 setup limit src-addr 10

#################################################
# Deny Port scanning (Nmap)
#################################################
$cmd 00600 deny log logamount 50 ip from any to any ipoptions rr
$cmd 00610 deny log logamount 50 ip from any to any ipoptions ts
$cmd 00620 deny log logamount 50 ip from any to any ipoptions lsrr
$cmd 00630 deny log logamount 50 ip from any to any ipoptions ssrr
$cmd 00640 deny log logamount 50 tcp from any to any tcpflags syn,fin
$cmd 00650 deny log logamount 50 tcp from any to any tcpflags syn,rst


#################################################
# Deny and Log
#################################################
$cmd deny log all from any to any


Here is my sysctl.conf:

Code:
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
security.bsd.stack_guard_page=1
net.inet6.ip6.v6only=0
security.bsd.see_other_uids=0
net.inet.tcp.msl=15000
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.icmp.icmplim=200
kern.ipc.somaxconn=32768
net.inet.tcp.maxtcptw=40960
net.inet.tcp.nolocaltimewait=1
net.inet.ip.portrange.first=1024
net.inet.ip.portrange.last=65535
net.inet.ip.portrange.randomized=0
net.inet.tcp.fast_finwait2_recycle=1
net.inet.ip.fw.dyn_buckets=4096
net.inet.ip.forwarding=0
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=0
net.inet.ip.intr_queue_maxlen=512
net.inet.ip.random_id=1
net.inet.tcp.drop_synfin=1
net.inet.ip.redirect=0
net.inet.tcp.syncookies=1
net.inet.ip.fastforwarding=1
net.inet.tcp.delayed_ack=0
net.inet.udp.maxdgram=57344
kern.ipc.maxsockbuf=2097152
net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
net.inet.ip.rtmaxcache=256
net.inet.icmp.maskrepl=0
net.icmp.bmcastecho=0
net.inet.tcp.icmp_may_rst=0
net.inet.ip.fw.one_pass=0
kern.maxfiles=65536
kern.maxfilesperproc=32000
net.inet.ip.accept_sourceroute=0
net.inet.ip.sourceroute=0
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
net.inet.ip.fw.dyn_max=65536
net.inet.ip.fw.dyn_keepalive=1
net.inet.tcp.fast_finwait2_recycle=1
net.inet.tcp.finwait2_timeout=15000
#net.inet.tcp.fastopen.enabled=1
net.inet.tcp.recvspace=262144
net.inet.tcp.sendspace=262144
net.inet.udp.recvspace=262144
net.inet.udp.sendspace=262144
net.inet.tcp.mssdflt=1452

Any ideas what I am doing wrong?
 
The issue is fixed.

FYI - the problem was:

Code:
$cmd 60006 allow udp from any to any 53 limit src-addr 10

It seems that src-addr 10 is too low. I increased it to 50 and it started to work fine. Now I should what is the optimal value.
 
Back
Top