NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPF rules



I dont know if this is relevant, but my ISP upgraded hardware.
The nameserver only uses IPv6 addresses (and only IPv6 protocol?) .
 I found IPv4 addresses using nslookup.

On Fri, Jul 2, 2021 at 11:13 PM Jason Mitchell <jmitchel%bigjar.com@localhost> wrote:
>
> On 7/1/21 10:17 PM, Todd Gruhn wrote:
> > I like the point about DNS -- sooo if I accept tcp/53 and udp/53, that
> > can speed things
> > up?
> >
> > On Thu, Jul 1, 2021 at 10:03 PM Todd Gruhn <tgruhn2%gmail.com@localhost> wrote:
> >> How would I know if IPF is the problem?
> >>
> >> I stole the IPF rules from 2 of the IPF examples in /usr/share/examples/ipf
> >>
> >> On Thu, Jul 1, 2021 at 9:39 PM Brett Lymn <blymn%internode.on.net@localhost> wrote:
> >>> On Thu, Jul 01, 2021 at 07:05:13PM -0400, Todd Gruhn wrote:
> >>>> Is there a way to order IPF-rules so I can get on gmail quicker?
> >>>> What about speeding up network access in general?
> >>> A couple of thoughts:
> >>>
> >>> 1) are you sure it is ipf causing the issue? How is gmail without the
> >>> firewall on?  I wouldn't expect a performance impact from ipf unless
> >>> your firewalling is very complex.
> >>>
> >>> 2) are you sure your rules are correct?  A particularly favourite
> >>> hobby-horse of mine is people  blocking DNS over tcp/53 due to the
> >>> totally WRONG belief that only dns zone transfers use tcp/53.  This is
> >>> WRONG (did I say wrong?) - if a DNS response won't fit into a UDP packet
> >>> then the DNS server will reply to the client telling it to try over tcp.
> >>> If your firewall doesn't allow that to happen there may be delays in
> >>> name resolution which could cause the appearance that gmail is slow.
> >>>
> >>> --
> >>> Brett Lymn
> >>> --
> >>> Sent from my NetBSD device.
> >>>
> >>> "We are were wolves",
> >>> "You mean werewolves?",
> >>> "No we were wolves, now we are something else entirely",
> >>> "Oh"
>
> I think you would only need to allow inbound connections to tcp port 53
> if you were running a nameserver on your machine. You would want to make
> sure that you allow outbound connections on tcp port 53 from your
> nameserver in any case. Are you using your own nameserver or are you
> using another machine for name resolution?
>
> If the nameserver isn't on your computer than: "nc -w 4 -v <nameserver
> ip> 53" will let you know if you can connect to that server on port 53.
> (-v = verbose, -w 4 = 4 second timeout so you don't wait forever). If
> there's a network problem the connection will timeout or you'll get an
> error. Here are examples:
>
> # nc -w 4 -v 8.8.8.7 53
> nc: connect to 8.8.8.7 port 53 (tcp) failed: Connection timed out
>
> # nc -w 4 -v 8.8.8.8 53
> Connection to 8.8.8.8 53 port [tcp/domain] succeeded!
>
> # nc -w 4 -v <local ip> 53
> nc: connect to <local ip> port 53 (tcp) failed: Connection refused
>
> Use Ctrl-D to close nc if a connection is made. If you're not sure what
> nameserver you're using then "resolvconf -l" should show you. I'm
> simplifying somewhat as things can be (much) more complicated. But
> hopefully I've made things somewhat clearer. <crosses fingers>
>
> And I use mail.google.com somewhat often and it goes to the same place
> as gmail.com.
>
> Thanks,
>
> Jason M.
>


Home | Main Index | Thread Index | Old Index