The default IPFW "workstation" rules seem to block fragmented packets caused by DNSSEC, in turn causing DNS to fail for some domains (including freebsd.org subdomains) when DNS resolution is performed locally (using BIND or Unbound).
The addition of the IPFW rule "ipfw add reass udp from any to any in" to /etc/rc.firewall, under type workstation, fixes the issue.
This issue was discussed at:
Needs some testers, but this should fix it
(In reply to Mark Felder from comment #1)
Tested and works.
However the reass should come *before* the check-state as fragments (except the first) don't include protocol and port numbers and thus cannot match check-state anyway. We need to reassemble first, then check-state will do the right thing. (It doesn't harm to implement as proposed, but we may save a few cycles if we reass first.)
Furthermore, along the same line we should not only reassemble UDP but any IP packet (including IPv6), which is also suggested by ipfw(8) manpage:
Usually a simple rule like:
# reassemble incoming fragments
ipfw add reass all from any to any in
is all you need at the beginning of your ruleset.
(In reply to Helge Oldach from comment #2)
In general the reass should come before any rule that might check
a port number, as only the first packet, or a completly reassembled
packet has a port number.
So I agree it should be moved before the check state, and probably
moved even much earlier.
The other issue is that net.inet.ip.fw.one_pass must be turned on
for this to work, that change requires further considerations and