From owner-freebsd-net@freebsd.org Tue Dec 1 08:22:01 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 15B1DA3DF17 for ; Tue, 1 Dec 2015 08:22:01 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from frv191.fwdcdn.com (frv191.fwdcdn.com [212.42.77.191]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CC3F91F9A for ; Tue, 1 Dec 2015 08:22:00 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from [10.10.2.23] (helo=frv198.fwdcdn.com) by frv191.fwdcdn.com with esmtp ID 1a3ftf-000Nlz-M9 for freebsd-net@freebsd.org; Tue, 01 Dec 2015 10:02:47 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:To:Subject:From:Date; bh=XoBUokSEck9xBpB4t0etApPRx487vbpvnQBYDN1LXSo=; b=gnvPvXXy/tHnnkMav8IuPgRWOd3h/tZYMpD4qBlxZk0aUeG9jQDYdSM8NMKvl+hXSgYsa7na26fNrfnl+OaNt+frZnBXz3S1IAlwFmK9LyMAaSkSNWe1t9LpIa1Bn55DEqrW0Hv4aYN/+dKh2OkdB+e3pcEjo3IAQWorCN+N4fY=; Received: from [10.10.10.34] (helo=frv34.fwdcdn.com) by frv198.fwdcdn.com with smtp ID 1a3ftU-000NTX-4o for freebsd-net@freebsd.org; Tue, 01 Dec 2015 10:02:36 +0200 Date: Tue, 01 Dec 2015 10:02:35 +0200 From: wishmaster Subject: Re: IPFW blocked my IPv6 NTP traffic To: freebsd-net@freebsd.org X-Mailer: mail.ukr.net 5.0 Message-Id: <1448956697.854911427.15is5btc@frv34.fwdcdn.com> In-Reply-To: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com> References: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com> X-Reply-Action: reply Received: from artemrts@ukr.net by frv34.fwdcdn.com; Tue, 01 Dec 2015 10:02:35 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 08:22:01 -0000 Hi, Mark. > I'm hoping someone can explain what happened here and this isn't a bug, > but if it is a bug I'll gladly open a PR. > > I noticed in my ipfw logs that I was getting a log of "DENY" entries for > an NTP server > > Nov 30 13:35:16 gw kernel: ipfw: 4540 Deny UDP > [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in via gif0 > > Strange... I looked at ntpq output and sure enough I was trying to > communicate with that server. But why was it getting blocked? I don't > have a rule to allow IPv4 input from source port 123. I expected IPFW to > handle this for me. I know UDP is stateless, but firewalls are usually > able to "keep state" for UDP. I looked at my v4 rules which and I have > keep-state on there: > > # Allow all outgoing, skip to NAT > ###################################### > $cmd 01300 skipto 5000 tcp from any to any out via $pif $ks > $cmd 01310 skipto 5000 udp from any to any out via $pif $ks > $cmd 01320 skipto 5000 icmp from any to any out via $pif > ###################################### > > I noticed my outbound IPv6 didn't have $ks for udp, so I added it. > However, that had no effect. The solution was to add an incoming rule: > > $cmd 03755 allow udp from any to any src-port 123 in via $pif6 $ks > > This seems wrong. Thoughts? > What is your 5000 rule? In general on public interface you should: $cmd 12345 allow log all from any to me 123 $ks And for outgoing traffic just: $cmd 1234 allow log all from me to any $ks This works for me. -- Cheers, Vitaliy