freebsd ipfw question

Timothe Litt litt at acm.org
Fri Feb 18 12:24:39 UTC 2022 

On 17-Feb-22 16:45, Randy Bush wrote:
> for some reason lost in time, i have the following in `/etc/ipfw.rules`
> on a freebsd system running bind9
>
>      add allow tcp from any to me 53 limit src-addr 1 setup
>      add deny tcp from any to me 53
>
> the results are
>
>      01000  48358531   6390772849 allow tcp from any to me 53 setup limit src-addr 1 :default
>      01100    165225      9379997 deny tcp from any to me 53
>
> is this about normal?
>
> randy

This seems like an artifact of a time when people assumed that TCP use 
was rare (and expensive), and likely only used for zone transfers.  Were 
that the case, this would have been an attempt to protect against denial 
of service attacks.

This was always a bad assumption.  With today's larger responses & 
traffic profiles, if it ever made sense, it's long past its expiration 
date.  TCP is required, and no RFC requires a client (or clients) on a 
host to minimize the number of TCP connections. Nor to limit the number 
of active zone transfers per host.

The effect is likely to be that client responses are slow and/or pushed 
away from this server to one that's more tolerant.  Whether the 165K 
dropped connections are significant is impossible to tell without (a) 
knowing the amount of time it represents and (b) what those attempts 
were trying to do.  They represent about 0.3% of the traffic in this 
interval - but that doesn't measure their importance.

Since you don't have a specific rationale for the rule based on a known 
situation, I would remove it.  (More precisely, remove the limit, which 
means replacing these rules with something like 'allow tcp from any to 
me 53'.)  If that results in abusive traffic, another (traffic-specific) 
approach to dealing with it would be in order.  And if it comes to that, 
do yourself (and your successors) a favor and document the problem you 
encounter and how your solution works...

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220218/50fc00c9/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220218/50fc00c9/attachment.sig>

More information about the bind-users mailing list