From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 14 23:31:50 2012 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 703CB1065740 for ; Tue, 14 Feb 2012 23:31:50 +0000 (UTC) (envelope-from terrence@mediamonks.net) Received: from mail.mediamonks.net (mail.mediamonks.net [217.195.117.200]) by mx1.freebsd.org (Postfix) with ESMTP id A50D78FC0C for ; Tue, 14 Feb 2012 23:31:48 +0000 (UTC) X-CGP-Sophos: Scanned and found clean X-Abuse-Info: Send abuse reports about this email to abuse@mediamonks.net Received: from [46.44.172.86] (account terrence@mediamonks.com) by mail.mediamonks.net (CommuniGate Pro IMAP 5.4.2) with XMIT id 8410436; Wed, 15 Feb 2012 00:31:48 +0100 Date: Wed, 15 Feb 2012 00:31:40 +0100 Organization: MediaMonks B.V. Message-Id: <54ae383d8f680344a2c72f1ed59b366f@mediamonks.com> In-Reply-To: <4F3AD9F2.9020405@macfreek.nl> Thread-Topic: Local IPv6 traffic not send over loopback? Priority: Normal Importance: normal X-MSMail-Priority: normal X-Priority: 3 Sensitivity: Normal Thread-Index: AczrcM25kV9F2wLqTaiMoJSUnodv+Q== From: "Terrence Koeman" To: "Freek Dijkstra" X-MAPI-Message-Class: IPM.Note.SMIME.MultipartSigned X-Mailer: CommuniGate Pro MAPI Connector 1.52.54.6/1.54.0.6 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0094_01CCEB79.2FA2F280" Cc: "ipfw@freebsd.org" Subject: RE: Local IPv6 traffic not send over loopback? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2012 23:31:50 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_0094_01CCEB79.2FA2F280 Content-Type: multipart/mixed; boundary="----=_NextPart_001_0095_01CCEB79.2FA2F280" ------=_NextPart_001_0095_01CCEB79.2FA2F280 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Tue, 14 Feb 2012 at 23:02:26, Freek Dijkstra wrote: > Hi, > > I added a few rules to my firewall to prevent spoofing source IP > addresses. I encountered some (to me) unexpected behaviour where IPv6 > traffic originating at the host would match an ipfw rule with "in" and > "recv " set. > > I very much appreciate it if someone could replicate the following > behaviour, and report the results. > > 1. Add a firewall rule: > "count log ipv6 from me to me not recv lo0" > 2. On the host, ping6 to one of it's IP addresses. > > Here is the result for me: > > 2001:610:767:4ec1::1 is an IPv6 address of my host. So I would expect > that pinging the IP from host itself would use the loopback interface. > route get confirms this: > > % route get -inet6 2001:610:767:4ec1::1 > route to: 2001:610:767:4ec1::1 > destination: 2001:610:767:4ec1::1 > interface: lo0 > flags: > recvpipe sendpipe ssthresh rtt,msec mtu weight expire > 0 0 0 0 16384 1 0 > However, ipfw thinks the traffic is received through another interface: > > % ipfw add 1200 count log ipv6 from me to me not recv lo0 > % ipfw add 1201 count log ipv6 from me to me out not recv lo0 > % ipfw add 1202 count log ipv6 from me to me in not recv lo0 > % ping6 -c 1 2001:610:767:4ec1::1 > >> ipfw: 1200 Count ICMPv6:128.0 [2001:610:767:4ec1::1] >> [2001:610:767:4ec1::1] in via em3 ipfw: 1202 Count ICMPv6:128.0 >> [2001:610:767:4ec1::1] > [2001:610:767:4ec1::1] in via em3 > [snip] I have replicated what you're doing for ipv4 and ipv6, results are attached. There is a difference, ping seems to use 127.0.0.1 to send the echo request and ping6 doesn't use ::1 to send it. Possibly this is by design. -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. ------=_NextPart_001_0095_01CCEB79.2FA2F280 Content-Type: text/plain; name="ipv4.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="ipv4.txt" # route get -inet 217.195.117.150 route to: ns1.mediamonks.net destination: ns1.mediamonks.net interface: lo0 flags: recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 16384 1 0=20 ------------ # ping -c 1 217.195.117.150 PING 217.195.117.150 (217.195.117.150): 56 data bytes 64 bytes from 217.195.117.150: icmp_seq=3D0 ttl=3D64 time=3D0.028 ms --- 217.195.117.150 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev =3D 0.028/0.028/0.028/0.000 ms ------------ 00011 count log logamount 200 ip from me to me not recv lo0 00012 count log logamount 200 ip from me to me out not recv lo0 00013 count log logamount 200 ip from me to me in not recv lo0 ------------ Feb 15 00:17:52 obhasa kernel: ipfw: 11 Count ICMP:8.0 127.0.0.1 = 217.195.117.150 out via lo0 Feb 15 00:17:52 obhasa kernel: ipfw: 12 Count ICMP:8.0 127.0.0.1 = 217.195.117.150 out via lo0 Feb 15 00:17:52 obhasa kernel: ipfw: 11 Count ICMP:0.0 217.195.117.150 = 127.0.0.1 out via lo0 Feb 15 00:17:52 obhasa kernel: ipfw: 12 Count ICMP:0.0 217.195.117.150 = 127.0.0.1 out via lo0 ------------ ------=_NextPart_001_0095_01CCEB79.2FA2F280 Content-Type: text/plain; name="ipv6.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="ipv6.txt" # route get -inet6 2a03:5500:236:0:217:195:117:150 route to: ns1.mediamonks.net destination: ns1.mediamonks.net interface: lo0 flags: recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 16384 1 0=20 ------------ # ping6 -c 1 2a03:5500:236:0:217:195:117:150 PING6(56=3D40+8+8 bytes) 2a03:5500:236:0:217:195:117:150 --> = 2a03:5500:236:0:217:195:117:150 16 bytes from 2a03:5500:236:0:217:195:117:150, icmp_seq=3D0 hlim=3D64 = time=3D0.274 ms --- 2a03:5500:236:0:217:195:117:150 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev =3D 0.274/0.274/0.274/0.000 ms ------------ 00001 count log logamount 200 ip6 from me6 to me6 not recv lo0 00002 count log logamount 200 ip6 from me6 to me6 out not recv lo0 00003 count log logamount 200 ip6 from me6 to me6 in not recv lo0 ------------ Feb 15 00:19:41 obhasa kernel: ipfw: 1 Count ICMPv6:128.0 = [2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] out = via lo0 Feb 15 00:19:41 obhasa kernel: ipfw: 2 Count ICMPv6:128.0 = [2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] out = via lo0 Feb 15 00:19:41 obhasa kernel: ipfw: 1 Count ICMPv6:128.0 = [2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] in = via em0 Feb 15 00:19:41 obhasa kernel: ipfw: 3 Count ICMPv6:128.0 = [2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] in = via em0 Feb 15 00:19:41 obhasa kernel: ipfw: 1 Count ICMPv6:129.0 = [2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] out = via lo0 Feb 15 00:19:41 obhasa kernel: ipfw: 2 Count ICMPv6:129.0 = [2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] out = via lo0 Feb 15 00:19:41 obhasa kernel: ipfw: 1 Count ICMPv6:129.0 = [2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] in = via em0 Feb 15 00:19:41 obhasa kernel: ipfw: 3 Count ICMPv6:129.0 = [2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] in = via em0 ------------ ------=_NextPart_001_0095_01CCEB79.2FA2F280-- ------=_NextPart_000_0094_01CCEB79.2FA2F280 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIAjCCA8ow ggKyoAMCAQICEEUuM5TRXSsqy2M6PXNSZ3kwDQYJKoZIhvcNAQEFBQAwgYIxCzAJBgNVBAYTAlVT MR4wHAYDVQQLExV3d3cueHJhbXBzZWN1cml0eS5jb20xJDAiBgNVBAoTG1hSYW1wIFNlY3VyaXR5 IFNlcnZpY2VzIEluYzEtMCsGA1UEAxMkWFJhbXAgR2xvYmFsIENlcnRpZmljYXRpb24gQXV0aG9y aXR5MB4XDTExMDcxNjE0MDEyOVoXDTEyMDcxNjE1MTY1N1owdzEgMB4GA1UEAxQXdGVycmVuY2VA bWVkaWFtb25rcy5uZXQxDjAMBgNVBAgTBXNtaW1lMQswCQYDVQQGEwJVUzEmMCQGCSqGSIb3DQEJ ARYXdGVycmVuY2VAbWVkaWFtb25rcy5uZXQxDjAMBgNVBAoTBXNtaW1lMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQChRrpOuDewU94nfT8orYLjRRWCXIpT5sBcc2/xSaI00SPo6HK/G33JNyFS 1yZT/oiCZvF9EsD9cF14+ymWpoZ+14BSHJ9SD5rldKRQ7ETHEifLnM64oCp8Mh8HjzO/AvycbONu hC/iS380VIZqddDZych9+IMtNRMO4nSBFMQ35QIDAQABo4HJMIHGMAkGA1UdEwQCMAAwHQYDVR0O BBYEFDWoOhnIHkcHhg0ftxrYRqHL7x0xMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcD BDA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnNlY3VyZXRydXN0LmNvbS9YR0NBLmNybDBC BgNVHSAEOzA5MDcGCmCGSAGG/WQCAgEwKTAnBggrBgEFBQcCARYbaHR0cDovL3NzbC50cnVzdHdh dmUuY29tL0NBMA0GCSqGSIb3DQEBBQUAA4IBAQCM74qzG599TkL+P5DKV9+ZnN1QzKEXSV4DEC+m dRgBfPLKFZ3eyJoqVyfZIZswXMtvR4lZB7wGG9QDn+AZDjdJqJ84DNMma+MiifSP2unYI7pqV/5/ 972/C8pvjLbiNSsMWmNMJKKfMAIEU+nLiNGfqlOj1Pz5WEz5ljgLRmivLWDAv3w/vcc9mCxTXbR1 TPhSA8UrNhlQLwy9L5dl408ILyVT4VblPbT/6TQn9pRlqtAiwkORnpadC4cH0uwK+NGnN9yarSJC 9SHPRujqNvMX61ojgXEOGhY1lyL7z2S4Jc6912Ezb9TbCT8MYlZ2ILKDwt+cpjhhONtWt35w7jDr MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UE BhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2Vj dXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB dXRob3JpdHkwHhcNMDQxMTAxMTcxNDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMx HjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkg U2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3Jp dHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS638eMpSe2OAtp87ZOqCwu IR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCPKZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMx foArtYzAQDsRhtDLooY2YKTVMIJt2W7QDxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FE zG+gSqmUsE3a56k0enI4qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqs AxcZZPRaJSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNViPvry xS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud EwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASsjVy16bYbMDYGA1UdHwQvMC0wK6Ap oCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMC AQEwDQYJKoZIhvcNAQEFBQADggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc /Kh4ZzXxHfARvbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLaIR9NmXmd4c8n nxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSyi6mx5O+aGtA9aZnuqCij4Tyz 8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQO+7ETPTsJ3xCwnR8gooJybQDJbwxggOxMIID rQIBATCBlzCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9i YWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEEUuM5TRXSsqy2M6PXNSZ3kwCQYFKw4DAhoFAKCC Am8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIwMjE0MjMzMTQw WjAjBgkqhkiG9w0BCQQxFgQUoWb3CIqFtC4A7cNr/e0K3iWeMRYwgagGCSsGAQQBgjcQBDGBmjCB lzCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UE ChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkCEEUuM5TRXSsqy2M6PXNSZ3kwgaoGCyqGSIb3DQEJEAILMYGa oIGXMIGCMQswCQYDVQQGEwJVUzEeMBwGA1UECxMVd3d3LnhyYW1wc2VjdXJpdHkuY29tMSQwIgYD VQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMxLTArBgNVBAMTJFhSYW1wIEdsb2JhbCBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQIQRS4zlNFdKyrLYzo9c1JneTCBtwYJKoZIhvcNAQkPMYGp MIGmMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCgYIKoZIhvcNAwcwCwYJYIZIAWUDBAECMA4G CCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggqhkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDAHBgUr DgMCGjALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAsGCWCGSAFlAwQCATAKBggqhkiG9w0CBTAN BgkqhkiG9w0BAQEFAASBgFSVFAsoQSiY3kx45TBWMklBbBJfHOVR01usYs1+TZOuVk+MLKAOcc8I 16j0vrIsOdjycHYfrkEJ7bClq4qm74hQOhdy9W8Bhd4RKRTOF315smlk5sv+UCJDy98eIyfIhzwP 2nXMbL2hniPiiswd1R113wXxWS7Z7M5RyzZ38isQAAAAAAAA ------=_NextPart_000_0094_01CCEB79.2FA2F280--