Site Navigation

Date:      Wed, 15 Feb 2012 00:31:40 +0100
From:      "Terrence Koeman" <terrence@mediamonks.net>
To:        "Freek Dijkstra" <public@macfreek.nl>
Cc:        "ipfw@freebsd.org" <ipfw@freebsd.org>
Subject:   RE: Local IPv6 traffic not send over loopback?
Message-ID:  <54ae383d8f680344a2c72f1ed59b366f@mediamonks.com>
In-Reply-To: <4F3AD9F2.9020405@macfreek.nl>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

This is a multi-part message in MIME format.

------=_NextPart_000_0094_01CCEB79.2FA2F280
Content-Type: multipart/mixed;
	boundary="----=_NextPart_001_0095_01CCEB79.2FA2F280"


------=_NextPart_001_0095_01CCEB79.2FA2F280
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: 7bit

On Tue, 14 Feb 2012 at 23:02:26, Freek Dijkstra wrote:

> Hi,
>
> I added a few rules to my firewall to prevent spoofing source IP
> addresses. I encountered some (to me) unexpected behaviour where IPv6
> traffic originating at the host would match an ipfw rule with "in" and
> "recv <interface>" set.
>
> I very much appreciate it if someone could replicate the following
> behaviour, and report the results.
>
> 1. Add a firewall rule:
>    "count log ipv6 from me to me not recv lo0"
> 2. On the host, ping6 to one of it's IP addresses.
>
> Here is the result for me:
>
> 2001:610:767:4ec1::1 is an IPv6 address of my host. So I would expect
> that pinging the IP from host itself would use the loopback interface.
> route get confirms this:
>
> % route get -inet6 2001:610:767:4ec1::1
>    route to: 2001:610:767:4ec1::1
> destination: 2001:610:767:4ec1::1
>   interface: lo0
>       flags: <UP,HOST,DONE,STATIC>
>  recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
>        0         0         0         0     16384         1         0
> However, ipfw thinks the traffic is received through another interface:
>
> % ipfw add 1200 count log ipv6 from me to me     not recv lo0
> % ipfw add 1201 count log ipv6 from me to me out not recv lo0
> % ipfw add 1202 count log ipv6 from me to me in  not recv lo0
> % ping6 -c 1 2001:610:767:4ec1::1
>
>> ipfw: 1200 Count ICMPv6:128.0 [2001:610:767:4ec1::1]
>> [2001:610:767:4ec1::1] in via em3 ipfw: 1202 Count ICMPv6:128.0
>> [2001:610:767:4ec1::1]
> [2001:610:767:4ec1::1] in via em3
>
[snip]

I have replicated what you're doing for ipv4 and ipv6, results are attached.

There is a difference, ping seems to use 127.0.0.1 to send the echo request 
and ping6 doesn't use ::1 to send it. Possibly this is by design.

-- 
Regards,
T. Koeman, MTh/BSc/BPsy; Technical Monk

MediaMonks B.V. (www.mediamonks.com)
Please quote relevant replies in correspondence.

------=_NextPart_001_0095_01CCEB79.2FA2F280
Content-Type: text/plain;
	name="ipv4.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="ipv4.txt"

# route get -inet 217.195.117.150
   route to: ns1.mediamonks.net
destination: ns1.mediamonks.net
  interface: lo0
      flags: <UP,HOST,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0     16384         1         0=20

------------

# ping -c 1 217.195.117.150
PING 217.195.117.150 (217.195.117.150): 56 data bytes
64 bytes from 217.195.117.150: icmp_seq=3D0 ttl=3D64 time=3D0.028 ms

--- 217.195.117.150 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev =3D 0.028/0.028/0.028/0.000 ms

------------

00011 count log logamount 200 ip from me to me not recv lo0
00012 count log logamount 200 ip from me to me out not recv lo0
00013 count log logamount 200 ip from me to me in not recv lo0

------------

Feb 15 00:17:52 obhasa kernel: ipfw: 11 Count ICMP:8.0 127.0.0.1 =
217.195.117.150 out via lo0
Feb 15 00:17:52 obhasa kernel: ipfw: 12 Count ICMP:8.0 127.0.0.1 =
217.195.117.150 out via lo0
Feb 15 00:17:52 obhasa kernel: ipfw: 11 Count ICMP:0.0 217.195.117.150 =
127.0.0.1 out via lo0
Feb 15 00:17:52 obhasa kernel: ipfw: 12 Count ICMP:0.0 217.195.117.150 =
127.0.0.1 out via lo0

------------
------=_NextPart_001_0095_01CCEB79.2FA2F280
Content-Type: text/plain;
	name="ipv6.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="ipv6.txt"

# route get -inet6 2a03:5500:236:0:217:195:117:150
   route to: ns1.mediamonks.net
destination: ns1.mediamonks.net
  interface: lo0
      flags: <UP,HOST,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0     16384         1         0=20

------------

# ping6 -c 1 2a03:5500:236:0:217:195:117:150
PING6(56=3D40+8+8 bytes) 2a03:5500:236:0:217:195:117:150 --> =
2a03:5500:236:0:217:195:117:150
16 bytes from 2a03:5500:236:0:217:195:117:150, icmp_seq=3D0 hlim=3D64 =
time=3D0.274 ms

--- 2a03:5500:236:0:217:195:117:150 ping6 statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev =3D 0.274/0.274/0.274/0.000 ms

------------

00001 count log logamount 200 ip6 from me6 to me6 not recv lo0
00002 count log logamount 200 ip6 from me6 to me6 out not recv lo0
00003 count log logamount 200 ip6 from me6 to me6 in not recv lo0

------------

Feb 15 00:19:41 obhasa kernel: ipfw: 1 Count ICMPv6:128.0 =
[2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] out =
via lo0
Feb 15 00:19:41 obhasa kernel: ipfw: 2 Count ICMPv6:128.0 =
[2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] out =
via lo0
Feb 15 00:19:41 obhasa kernel: ipfw: 1 Count ICMPv6:128.0 =
[2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] in =
via em0
Feb 15 00:19:41 obhasa kernel: ipfw: 3 Count ICMPv6:128.0 =
[2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] in =
via em0
Feb 15 00:19:41 obhasa kernel: ipfw: 1 Count ICMPv6:129.0 =
[2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] out =
via lo0
Feb 15 00:19:41 obhasa kernel: ipfw: 2 Count ICMPv6:129.0 =
[2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] out =
via lo0
Feb 15 00:19:41 obhasa kernel: ipfw: 1 Count ICMPv6:129.0 =
[2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] in =
via em0
Feb 15 00:19:41 obhasa kernel: ipfw: 3 Count ICMPv6:129.0 =
[2a03:5500:236:0:217:195:117:150] [2a03:5500:236:0:217:195:117:150] in =
via em0

------------
------=_NextPart_001_0095_01CCEB79.2FA2F280--

------=_NextPart_000_0094_01CCEB79.2FA2F280
Content-Type: application/x-pkcs7-signature;
	name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIAjCCA8ow
ggKyoAMCAQICEEUuM5TRXSsqy2M6PXNSZ3kwDQYJKoZIhvcNAQEFBQAwgYIxCzAJBgNVBAYTAlVT
MR4wHAYDVQQLExV3d3cueHJhbXBzZWN1cml0eS5jb20xJDAiBgNVBAoTG1hSYW1wIFNlY3VyaXR5
IFNlcnZpY2VzIEluYzEtMCsGA1UEAxMkWFJhbXAgR2xvYmFsIENlcnRpZmljYXRpb24gQXV0aG9y
aXR5MB4XDTExMDcxNjE0MDEyOVoXDTEyMDcxNjE1MTY1N1owdzEgMB4GA1UEAxQXdGVycmVuY2VA
bWVkaWFtb25rcy5uZXQxDjAMBgNVBAgTBXNtaW1lMQswCQYDVQQGEwJVUzEmMCQGCSqGSIb3DQEJ
ARYXdGVycmVuY2VAbWVkaWFtb25rcy5uZXQxDjAMBgNVBAoTBXNtaW1lMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQChRrpOuDewU94nfT8orYLjRRWCXIpT5sBcc2/xSaI00SPo6HK/G33JNyFS
1yZT/oiCZvF9EsD9cF14+ymWpoZ+14BSHJ9SD5rldKRQ7ETHEifLnM64oCp8Mh8HjzO/AvycbONu
hC/iS380VIZqddDZych9+IMtNRMO4nSBFMQ35QIDAQABo4HJMIHGMAkGA1UdEwQCMAAwHQYDVR0O
BBYEFDWoOhnIHkcHhg0ftxrYRqHL7x0xMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcD
BDA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnNlY3VyZXRydXN0LmNvbS9YR0NBLmNybDBC
BgNVHSAEOzA5MDcGCmCGSAGG/WQCAgEwKTAnBggrBgEFBQcCARYbaHR0cDovL3NzbC50cnVzdHdh
dmUuY29tL0NBMA0GCSqGSIb3DQEBBQUAA4IBAQCM74qzG599TkL+P5DKV9+ZnN1QzKEXSV4DEC+m
dRgBfPLKFZ3eyJoqVyfZIZswXMtvR4lZB7wGG9QDn+AZDjdJqJ84DNMma+MiifSP2unYI7pqV/5/
972/C8pvjLbiNSsMWmNMJKKfMAIEU+nLiNGfqlOj1Pz5WEz5ljgLRmivLWDAv3w/vcc9mCxTXbR1
TPhSA8UrNhlQLwy9L5dl408ILyVT4VblPbT/6TQn9pRlqtAiwkORnpadC4cH0uwK+NGnN9yarSJC
9SHPRujqNvMX61ojgXEOGhY1lyL7z2S4Jc6912Ezb9TbCT8MYlZ2ILKDwt+cpjhhONtWt35w7jDr
MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UE
BhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2Vj
dXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkwHhcNMDQxMTAxMTcxNDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMx
HjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkg
U2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
dHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS638eMpSe2OAtp87ZOqCwu
IR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCPKZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMx
foArtYzAQDsRhtDLooY2YKTVMIJt2W7QDxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FE
zG+gSqmUsE3a56k0enI4qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqs
AxcZZPRaJSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNViPvry
xS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud
EwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASsjVy16bYbMDYGA1UdHwQvMC0wK6Ap
oCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMC
AQEwDQYJKoZIhvcNAQEFBQADggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc
/Kh4ZzXxHfARvbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt
qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLaIR9NmXmd4c8n
nxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSyi6mx5O+aGtA9aZnuqCij4Tyz
8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQO+7ETPTsJ3xCwnR8gooJybQDJbwxggOxMIID
rQIBATCBlzCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk
MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9i
YWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEEUuM5TRXSsqy2M6PXNSZ3kwCQYFKw4DAhoFAKCC
Am8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIwMjE0MjMzMTQw
WjAjBgkqhkiG9w0BCQQxFgQUoWb3CIqFtC4A7cNr/e0K3iWeMRYwgagGCSsGAQQBgjcQBDGBmjCB
lzCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UE
ChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkCEEUuM5TRXSsqy2M6PXNSZ3kwgaoGCyqGSIb3DQEJEAILMYGa
oIGXMIGCMQswCQYDVQQGEwJVUzEeMBwGA1UECxMVd3d3LnhyYW1wc2VjdXJpdHkuY29tMSQwIgYD
VQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMxLTArBgNVBAMTJFhSYW1wIEdsb2JhbCBD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQIQRS4zlNFdKyrLYzo9c1JneTCBtwYJKoZIhvcNAQkPMYGp
MIGmMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCgYIKoZIhvcNAwcwCwYJYIZIAWUDBAECMA4G
CCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggqhkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDAHBgUr
DgMCGjALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAsGCWCGSAFlAwQCATAKBggqhkiG9w0CBTAN
BgkqhkiG9w0BAQEFAASBgFSVFAsoQSiY3kx45TBWMklBbBJfHOVR01usYs1+TZOuVk+MLKAOcc8I
16j0vrIsOdjycHYfrkEJ7bClq4qm74hQOhdy9W8Bhd4RKRTOF315smlk5sv+UCJDy98eIyfIhzwP
2nXMbL2hniPiiswd1R113wXxWS7Z7M5RyzZ38isQAAAAAAAA

------=_NextPart_000_0094_01CCEB79.2FA2F280--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54ae383d8f680344a2c72f1ed59b366f>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact