From owner-freebsd-net@freebsd.org Tue Dec 1 16:27:44 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 26415A3E3BE for ; Tue, 1 Dec 2015 16:27:44 +0000 (UTC) (envelope-from elof2@sentor.se) Received: from smtp-out.sentor.se (smtp-out.sentor.se [176.124.225.2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DD62F14AF; Tue, 1 Dec 2015 16:27:43 +0000 (UTC) (envelope-from elof2@sentor.se) Received: from localhost (localhost [127.0.0.1]) by farmermaggot.shire.sentor.se (Postfix) with ESMTP id 7A695B61D233; Tue, 1 Dec 2015 17:27:36 +0100 (CET) Date: Tue, 1 Dec 2015 17:27:36 +0100 (CET) From: elof2@sentor.se To: Mark Felder cc: wishmaster , freebsd-net Subject: Re: IPFW blocked my IPv6 NTP traffic In-Reply-To: <1448982333.1269981.454734633.11BA4DB2@webmail.messagingengine.com> Message-ID: References: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com> <1448956697.854911427.15is5btc@frv34.fwdcdn.com> <1448982333.1269981.454734633.11BA4DB2@webmail.messagingengine.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 16:27:44 -0000 On Tue, 1 Dec 2015, Mark Felder wrote: > > > On Tue, Dec 1, 2015, at 02:02, wishmaster wrote: >> >> Hi, Mark. >> >> >>> I'm hoping someone can explain what happened here and this isn't a bug, >>> but if it is a bug I'll gladly open a PR. >>> >>> I noticed in my ipfw logs that I was getting a log of "DENY" entries for >>> an NTP server >>> >>> Nov 30 13:35:16 gw kernel: ipfw: 4540 Deny UDP >>> [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in via gif0 Three long-shots: 1) I see that you use a gif interface. That makes me wonder: Do the 'keep-state' function in 'ipfw' work as bad as it does in 'pf'? In pf, 'keep state" doesn't keep state between software network interfaces and real network interfaces. So if I allow something in via tun0 (a software OpenVPN NIC), with keep state, the response is *not* automatically (via the state table) allowed back in on the ethernet NIC it was sent out. So for all my VPN-rules, I have to make two of them like this: Pf example: pass in quick on tun0 inet proto tcp from to port 22 keep state label "VpnIN - SSH" pass out quick on em1 inet proto tcp from to port 22 keep state label "DmzOUT - SSH" 2) Is this hapening over and over, or was it just a one time thing? If the latter, could it be that you flushed your firewall state table just after a cron job ran 'ntpdate 2604:a880:800:10::bc:c004', so the query got out but immediately after the state table was emptied and hence the response got blocked? 3) If 2001:470:1f11:1e8::2 is not the ipfw node itself, but some node behind it, could the ntp query to 2604:a880:800:10::bc:c004 have taken a different path? I.e. the ipfw node doesn't see the query, but the response packet is routed to it, so it gets blocked. /Elof