From owner-freebsd-net@freebsd.org Tue Dec 1 18:00:49 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 23D6BA3EC72 for ; Tue, 1 Dec 2015 18:00:49 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D53801C91 for ; Tue, 1 Dec 2015 18:00:48 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id D527E20E5F for ; Tue, 1 Dec 2015 13:00:47 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute3.internal (MEProxy); Tue, 01 Dec 2015 13:00:47 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=4Dgqgpef0IiQQNE E7v3EiH6fBGU=; b=Ezqoi3thJhnXfAIKaZJ/9e443YzSkSdLcZeAuggiKIwKkJK Qpv4JGYGYaLdWCD/rBZd1O9hPshrpU4kpBBRimBBqEt5IrdVFWkkhivmEw6CvdBh GUUzGteca3uV/o07PbrpqtyMG+Wzo6dXwJA86j+iWJlGd6wR05emN16CfN00= Received: by web3.nyi.internal (Postfix, from userid 99) id A6E6B10D766; Tue, 1 Dec 2015 13:00:47 -0500 (EST) Message-Id: <1448992847.1321736.454930393.6EE09773@webmail.messagingengine.com> X-Sasl-Enc: yLDwoG6SUlcj1LGCKrOBP7YIdc/RNZEmKSxYF2/Jq3vd 1448992847 From: Mark Felder To: wishmaster , freebsd-net@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-b94e6169 In-Reply-To: <1448982799.434403138.1awkb6gu@frv34.fwdcdn.com> References: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com> <1448956697.854911427.15is5btc@frv34.fwdcdn.com> <1448982333.1269981.454734633.11BA4DB2@webmail.messagingengine.com> <1448982799.434403138.1awkb6gu@frv34.fwdcdn.com> Subject: Re: IPFW blocked my IPv6 NTP traffic Date: Tue, 01 Dec 2015 12:00:47 -0600 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 18:00:49 -0000 On Tue, Dec 1, 2015, at 09:16, wishmaster wrote: > > --- Original message --- > From: "Mark Felder" > Date: 1 December 2015, 17:05:35 > > > > > > > > On Tue, Dec 1, 2015, at 02:02, wishmaster wrote: > > > > > > Hi, Mark. > > > > > > > > > > I'm hoping someone can explain what happened here and this isn't a bug, > > > > but if it is a bug I'll gladly open a PR. > > > > > > > > I noticed in my ipfw logs that I was getting a log of "DENY" entries for > > > > an NTP server > > > > > > > > Nov 30 13:35:16 gw kernel: ipfw: 4540 Deny UDP > > > > [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in via gif0 > > > > > > > > Strange... I looked at ntpq output and sure enough I was trying to > > > > communicate with that server. But why was it getting blocked? I don't > > > > have a rule to allow IPv4 input from source port 123. I expected IPFW to > > > > handle this for me. I know UDP is stateless, but firewalls are usually > > > > able to "keep state" for UDP. I looked at my v4 rules which and I have > > > > keep-state on there: > > > > > > > > # Allow all outgoing, skip to NAT > > > > ###################################### > > > > $cmd 01300 skipto 5000 tcp from any to any out via $pif $ks > > > > $cmd 01310 skipto 5000 udp from any to any out via $pif $ks > > > > $cmd 01320 skipto 5000 icmp from any to any out via $pif > > > > ###################################### > > > > > > > > I noticed my outbound IPv6 didn't have $ks for udp, so I added it. > > > > However, that had no effect. The solution was to add an incoming rule: > > > > > > > > $cmd 03755 allow udp from any to any src-port 123 in via $pif6 $ks > > > > > > > > This seems wrong. Thoughts? > > > > > > > > > > What is your 5000 rule? > > > > > > > $cmd 05000 nat 1 ip4 from any to any out via $pif > > Hey. As I understand, there is a problem in connection clients from Inet > with your NTP server. If yes, why do you use NAT rule? > > That's the NAT rule for my home network for outbound IPv4. It's working as expected. Outbound NTP traffic on high ports (not 123) works fine with IPv4. The reply from the NTP server is allowed through, presumably from the keep-state rule on outbound UDP traffic. Outbound NTP traffic on high ports with IPv6 is allowed outbound but the replies denied inbound. This has been my source of confusion and concern considering it should have been allowed by keep-state. -- Mark Felder ports-secteam member feld@FreeBSD.org