NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPF rules



On 7/1/21 10:17 PM, Todd Gruhn wrote:
I like the point about DNS -- sooo if I accept tcp/53 and udp/53, that
can speed things
up?

On Thu, Jul 1, 2021 at 10:03 PM Todd Gruhn <tgruhn2%gmail.com@localhost> wrote:
How would I know if IPF is the problem?

I stole the IPF rules from 2 of the IPF examples in /usr/share/examples/ipf

On Thu, Jul 1, 2021 at 9:39 PM Brett Lymn <blymn%internode.on.net@localhost> wrote:
On Thu, Jul 01, 2021 at 07:05:13PM -0400, Todd Gruhn wrote:
Is there a way to order IPF-rules so I can get on gmail quicker?
What about speeding up network access in general?
A couple of thoughts:

1) are you sure it is ipf causing the issue? How is gmail without the
firewall on?  I wouldn't expect a performance impact from ipf unless
your firewalling is very complex.

2) are you sure your rules are correct?  A particularly favourite
hobby-horse of mine is people  blocking DNS over tcp/53 due to the
totally WRONG belief that only dns zone transfers use tcp/53.  This is
WRONG (did I say wrong?) - if a DNS response won't fit into a UDP packet
then the DNS server will reply to the client telling it to try over tcp.
If your firewall doesn't allow that to happen there may be delays in
name resolution which could cause the appearance that gmail is slow.

--
Brett Lymn
--
Sent from my NetBSD device.

"We are were wolves",
"You mean werewolves?",
"No we were wolves, now we are something else entirely",
"Oh"

I think you would only need to allow inbound connections to tcp port 53 if you were running a nameserver on your machine. You would want to make sure that you allow outbound connections on tcp port 53 from your nameserver in any case. Are you using your own nameserver or are you using another machine for name resolution?

If the nameserver isn't on your computer than: "nc -w 4 -v <nameserver ip> 53" will let you know if you can connect to that server on port 53. (-v = verbose, -w 4 = 4 second timeout so you don't wait forever). If there's a network problem the connection will timeout or you'll get an error. Here are examples:

# nc -w 4 -v 8.8.8.7 53
nc: connect to 8.8.8.7 port 53 (tcp) failed: Connection timed out

# nc -w 4 -v 8.8.8.8 53
Connection to 8.8.8.8 53 port [tcp/domain] succeeded!

# nc -w 4 -v <local ip> 53
nc: connect to <local ip> port 53 (tcp) failed: Connection refused

Use Ctrl-D to close nc if a connection is made. If you're not sure what nameserver you're using then "resolvconf -l" should show you. I'm simplifying somewhat as things can be (much) more complicated. But hopefully I've made things somewhat clearer. <crosses fingers>

And I use mail.google.com somewhat often and it goes to the same place as gmail.com.

Thanks,

Jason M.



Home | Main Index | Thread Index | Old Index