Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 01 Dec 2015 10:02:35 +0200
From:      wishmaster <artemrts@ukr.net>
To:        freebsd-net@freebsd.org
Subject:   Re: IPFW blocked my IPv6 NTP traffic
Message-ID:  <1448956697.854911427.15is5btc@frv34.fwdcdn.com>
In-Reply-To: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com>
References:  <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

Hi, Mark.
 

> I'm hoping someone can explain what happened here and this isn't a bug,
> but if it is a bug I'll gladly open a PR.
> 
> I noticed in my ipfw logs that I was getting a log of "DENY" entries for
> an NTP server
> 
> Nov 30 13:35:16 gw kernel: ipfw: 4540 Deny UDP
> [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in via gif0
> 
> Strange... I looked at ntpq output and sure enough I was trying to
> communicate with that server. But why was it getting blocked? I don't
> have a rule to allow IPv4 input from source port 123. I expected IPFW to
> handle this for me. I know UDP is stateless, but firewalls are usually
> able to "keep state" for UDP. I looked at my v4 rules which and I have
> keep-state on there:
> 
> # Allow all outgoing, skip to NAT
> ######################################
> $cmd 01300 skipto 5000 tcp from any to any out via $pif $ks
> $cmd 01310 skipto 5000 udp from any to any out via $pif $ks
> $cmd 01320 skipto 5000 icmp from any to any out via $pif
> ######################################
> 
> I noticed my outbound IPv6 didn't have $ks for udp, so I added it.
> However, that had no effect. The solution was to add an incoming rule:
> 
> $cmd 03755 allow udp from any to any src-port 123 in via $pif6 $ks
> 
> This seems wrong. Thoughts?
> 

 What is your 5000 rule?
 
 In general on public interface you should:
 $cmd 12345 allow log all from any to me 123 $ks

 And for outgoing traffic just:
 $cmd 1234 allow log all from me to any $ks

 This works for me.

--
Cheers,
Vitaliy

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1448956697.854911427.15is5btc>