From owner-freebsd-net@freebsd.org Tue Dec 1 16:43:33 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EDECFA3E771 for ; Tue, 1 Dec 2015 16:43:32 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AACCA1156 for ; Tue, 1 Dec 2015 16:43:32 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id A13122095E for ; Tue, 1 Dec 2015 11:43:31 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute1.internal (MEProxy); Tue, 01 Dec 2015 11:43:31 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=pr5KnxGlF/quXmZ ANPT3dQAiFLs=; b=PV/ML4uOcljqxbMKPxAR6g70Cawy7VOFnUV7wlsES61Rrs+ JVCa3+rImvJ5sDD87/IUn9N9tffT8iHFRQlkkrBxif0ErWt4ZUIXolSJWvklp4pl cfaGg9R0kPpF9gobQ4WAXxibNLmhxsS/wluEgyh1MJWE2y5IwVhDfS5ESMuM= Received: by web3.nyi.internal (Postfix, from userid 99) id 77F1D10C6B2; Tue, 1 Dec 2015 11:43:31 -0500 (EST) Message-Id: <1448988211.1298751.454855961.765FA057@webmail.messagingengine.com> X-Sasl-Enc: kmpObBhAqGhjQZsZwDYYsg8AwY4rugbchj4OcYFnQeAr 1448988211 From: Mark Felder To: elof2@sentor.se Cc: "freebsd-net" , wishmaster MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-b94e6169 In-Reply-To: References: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com> <1448956697.854911427.15is5btc@frv34.fwdcdn.com> <1448982333.1269981.454734633.11BA4DB2@webmail.messagingengine.com> Subject: Re: IPFW blocked my IPv6 NTP traffic Date: Tue, 01 Dec 2015 10:43:31 -0600 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 16:43:33 -0000 On Tue, Dec 1, 2015, at 10:27, elof2@sentor.se wrote: > On Tue, 1 Dec 2015, Mark Felder wrote: > > > > > > > On Tue, Dec 1, 2015, at 02:02, wishmaster wrote: > >> > >> Hi, Mark. > >> > >> > >>> I'm hoping someone can explain what happened here and this isn't a bug, > >>> but if it is a bug I'll gladly open a PR. > >>> > >>> I noticed in my ipfw logs that I was getting a log of "DENY" entries for > >>> an NTP server > >>> > >>> Nov 30 13:35:16 gw kernel: ipfw: 4540 Deny UDP > >>> [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in via gif0 > > Three long-shots: > > 1) > I see that you use a gif interface. That makes me wonder: > Do the 'keep-state' function in 'ipfw' work as bad as it does in 'pf'? > > In pf, 'keep state" doesn't keep state between software network > interfaces and real network interfaces. So if I allow something in via > tun0 (a software OpenVPN NIC), with keep state, the response is *not* > automatically (via the state table) allowed back in on the ethernet NIC > it > was sent out. So for all my VPN-rules, I have to make two of them like > this: > > Pf example: > pass in quick on tun0 inet proto tcp from to > port 22 keep state label "VpnIN - SSH" > pass out quick on em1 inet proto tcp from to > port 22 keep state label "DmzOUT - SSH" > > That's an interesting idea. I wonder if that's happening here. > > 2) > Is this hapening over and over, or was it just a one time thing? > If the latter, could it be that you flushed your firewall state table > just after a cron job ran 'ntpdate 2604:a880:800:10::bc:c004', so the > query got out but immediately after the state table was emptied and > hence the response got blocked? > Nope, I don't run ntp via cron > > > 3) > If 2001:470:1f11:1e8::2 is not the ipfw node itself, but some node behind > it, could the ntp query to 2604:a880:800:10::bc:c004 have taken a > different path? I.e. the ipfw node doesn't see the query, but the > response > packet is routed to it, so it gets blocked. > 2001:470:1f11:1e8::2 is my firewall where ntpd runs. There are no alternate paths, but this is also a clever idea if I was multihomed and was running bgp with some routes preferred out different interfaces. -- Mark Felder ports-secteam member feld@FreeBSD.org