Date: Tue, 01 Dec 2015 12:22:37 -0600 From: Mark Felder <feld@FreeBSD.org> To: Gary Palmer <gpalmer@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: IPFW blocked my IPv6 NTP traffic Message-ID: <1448994157.1328347.454947073.3503184F@webmail.messagingengine.com> In-Reply-To: <20151201180825.GA79605@in-addr.com> References: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com> <1448956697.854911427.15is5btc@frv34.fwdcdn.com> <1448982333.1269981.454734633.11BA4DB2@webmail.messagingengine.com> <1448982799.434403138.1awkb6gu@frv34.fwdcdn.com> <1448992847.1321736.454930393.6EE09773@webmail.messagingengine.com> <20151201180825.GA79605@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 1, 2015, at 12:08, Gary Palmer wrote: > > Have you looked at the ipfw state tables to see if a state is recorded? > > ipfw -d list > > I think > Yes, and I can see the state especially for IPv6. I think I have solved this mystery. There was a problem, and I solved it, but then was fooled into thinking a problem persisted. * keep-state was missing for some outbound IPv6 traffic * IPv6 outbound NTP from my firewall was not using high ports, nor was IPv4 * A host behind my firewall was found to be running ntpd and ntimed. ntpd was pointed at the same pool as my firewall and I happened to see some high-port traffic to the same servers I was associated with. * This host behind my firewall also has an almost identical IPv6 address with one octet being a single digit off (1f11 vs 1f10) as well as shares the same outbound IPv4 address ... * There was an issue with an IPv6 NTP server or I misread the NTP output (it was stuck in STEP and seemed to go away when I added an IPFW rule) * The combination of these coincidences caused confusion and fooled me into thinking the source was the firewall. I'm now confident the keep-state works for IPv6 gif interfaces in IPFW as I can see the states and am now guilty of wasting your time and INBOX space. :) At least I was able to find two problems and solve them. Thanks, IPFW logging! -- Mark Felder ports-secteam member feld@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1448994157.1328347.454947073.3503184F>