From owner-freebsd-net@freebsd.org Tue Dec 1 18:22:38 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BAFCFA3E2D1 for ; Tue, 1 Dec 2015 18:22:38 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8CE6B1ED8 for ; Tue, 1 Dec 2015 18:22:38 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 7214A2095B for ; Tue, 1 Dec 2015 13:22:37 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Tue, 01 Dec 2015 13:22:37 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=hlX/JW6YrQ95kEt gx3bpxcLBcAk=; b=JK+qQ+ncnzjlTiGJeVcQKd/g+pWekWNE2QoScV9BT07J/// h0aQ3zYirrjH/44dugKjF5bibCAX8Ge4Pa+5APvUVxZlw2sL77prRjEx+WT10uQ8 wsM/nB96lmmleOdo4x0d2wUJwapSRuZmFnGxKCOy3d/o/eDuYErzZpuNELDE= Received: by web3.nyi.internal (Postfix, from userid 99) id 49E5910D803; Tue, 1 Dec 2015 13:22:37 -0500 (EST) Message-Id: <1448994157.1328347.454947073.3503184F@webmail.messagingengine.com> X-Sasl-Enc: jRiZLJ4iQD10gAvadoMqsa0FCaMysQh0zrA6+2THvzeW 1448994157 From: Mark Felder To: Gary Palmer Cc: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-b94e6169 Subject: Re: IPFW blocked my IPv6 NTP traffic Date: Tue, 01 Dec 2015 12:22:37 -0600 In-Reply-To: <20151201180825.GA79605@in-addr.com> References: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com> <1448956697.854911427.15is5btc@frv34.fwdcdn.com> <1448982333.1269981.454734633.11BA4DB2@webmail.messagingengine.com> <1448982799.434403138.1awkb6gu@frv34.fwdcdn.com> <1448992847.1321736.454930393.6EE09773@webmail.messagingengine.com> <20151201180825.GA79605@in-addr.com> X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 18:22:38 -0000 On Tue, Dec 1, 2015, at 12:08, Gary Palmer wrote: > > Have you looked at the ipfw state tables to see if a state is recorded? > > ipfw -d list > > I think > Yes, and I can see the state especially for IPv6. I think I have solved this mystery. There was a problem, and I solved it, but then was fooled into thinking a problem persisted. * keep-state was missing for some outbound IPv6 traffic * IPv6 outbound NTP from my firewall was not using high ports, nor was IPv4 * A host behind my firewall was found to be running ntpd and ntimed. ntpd was pointed at the same pool as my firewall and I happened to see some high-port traffic to the same servers I was associated with. * This host behind my firewall also has an almost identical IPv6 address with one octet being a single digit off (1f11 vs 1f10) as well as shares the same outbound IPv4 address ... * There was an issue with an IPv6 NTP server or I misread the NTP output (it was stuck in STEP and seemed to go away when I added an IPFW rule) * The combination of these coincidences caused confusion and fooled me into thinking the source was the firewall. I'm now confident the keep-state works for IPv6 gif interfaces in IPFW as I can see the states and am now guilty of wasting your time and INBOX space. :) At least I was able to find two problems and solve them. Thanks, IPFW logging! -- Mark Felder ports-secteam member feld@FreeBSD.org