Site Navigation

Date:      Tue, 14 Feb 2012 23:52:53 +0100
From:      "Terrence Koeman" <terrence@mediamonks.net>
To:        "Freek Dijkstra" <public@macfreek.nl>,  "ipfw@freebsd.org" <ipfw@freebsd.org>
Subject:   RE: Local IPv6 traffic not send over loopback?
Message-ID:  <55e71b64c62eb4468ce10e87770ba9eb@mediamonks.com>
In-Reply-To: <4F3AD9F2.9020405@macfreek.nl>

---

index | next in thread | previous in thread | raw e-mail

---

[-- Attachment #1 --]
On Tue, 14 Feb 2012 at 23:02:26, Freek Dijkstra wrote:

> Hi,
>
> I added a few rules to my firewall to prevent spoofing source IP
> addresses. I encountered some (to me) unexpected behaviour where IPv6
> traffic originating at the host would match an ipfw rule with "in" and
> "recv <interface>" set.
>
> I very much appreciate it if someone could replicate the following
> behaviour, and report the results.
>
> 1. Add a firewall rule:
>    "count log ipv6 from me to me not recv lo0"
> 2. On the host, ping6 to one of it's IP addresses.
>
> Here is the result for me:
>
> 2001:610:767:4ec1::1 is an IPv6 address of my host. So I would expect
> that pinging the IP from host itself would use the loopback interface.
> route get confirms this:
>
> % route get -inet6 2001:610:767:4ec1::1
>    route to: 2001:610:767:4ec1::1
> destination: 2001:610:767:4ec1::1
>   interface: lo0
>       flags: <UP,HOST,DONE,STATIC>
>  recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
>        0         0         0         0     16384         1         0
> However, ipfw thinks the traffic is received through another interface:
>
> % ipfw add 1200 count log ipv6 from me to me     not recv lo0
> % ipfw add 1201 count log ipv6 from me to me out not recv lo0
> % ipfw add 1202 count log ipv6 from me to me in  not recv lo0
> % ping6 -c 1 2001:610:767:4ec1::1
>
>> ipfw: 1200 Count ICMPv6:128.0 [2001:610:767:4ec1::1]
>> [2001:610:767:4ec1::1] in via em3 ipfw: 1202 Count ICMPv6:128.0
>> [2001:610:767:4ec1::1]
> [2001:610:767:4ec1::1] in via em3
>
> To add to the confusion, if I would ping the host from an external
> machine, the return traffic (ICMPv6:129 is the echo reply) would match a
> "recv" interface as well, even though the ICMP packet originated from
> the local machine:
>
> % ipfw add 1790 $actfake ipv6 from 2001:610:767::0/48 to any recv tun0
>> ipfw: 1790 Deny ICMPv6:129.0 [2001:610:767:4ec1::1]
> [2001:610:108:2003:9159:9f48:e2c8:196a] out via tun0
>
> IPv4 traffic behaves as I expect (traffic from me to me uses the
> loopback interface; outgoing ICMP does not match a "recv" rule.)
>
> I did not expect this result.
> 1. Could you replicate this behaviour?
> 2. Is this intended behaviour?
> 3. Is this a property of ipfw or the kernel? (e.g. should I report this
> here or on freebsd-net?)
>

It looks like you're using a SIXXS tunnel, it might have something to do with 
that rather than it being ipv6.

-- 
Regards,
T. Koeman, MTh/BSc/BPsy; Technical Monk

MediaMonks B.V. (www.mediamonks.com)
Please quote relevant replies in correspondence.

[-- Attachment #2 --]
0�	*�H��

��0�

10	+0�	*�H��


��0��0���
E.3��]+*�c:=sRgy0
	*�H��


0��10	UUS10Uwww.xrampsecurity.com1$0"U
XRamp Security Services Inc1-0+U$XRamp Global Certification Authority0
110716140129Z
120716151657Z0w1 0Uterrence@mediamonks.net10Usmime10	UUS1&0$	*�H��

	
terrence@mediamonks.net10U
smime0��0
	*�H��



��0�����F�N�7�S�'}?(���E�\�S��\so�I�4�#��r�}�7!R�&S���f�}��p]x�)���~׀R�R��t�P�D�'˜θ�*|2�3���l�n�/�K4T�ju����}��-5�t��7�

���0��0	U00U5�:�G�
��F���10U�0U%0
+
04U-0+0)�'�%�#http://crl.securetrust.com/XGCA.crl0BU ;0907
`�H
��d
0)0'+

http://ssl.trustwave.com/CA0
	*�H��


�

��}NB�?��Wߙ��P̡I^/�u
|����Ț*W'�!�0\�oG�Y����7I��8�&k�"�����#�jW�����o���5+ZcL$��0S�ˈџ�S����XL��8Fh�-`��|?��=�,S]�uL�R�+6P/�/�e�O/%S�V�=���4'��e��"�C�������
�ѧ7ܚ�"B�!�F��6��Z#�q5�"��d�%ν�a3o��	?bVv ���ߜ�8a8�V�~p�0�0�00��
P�l��՜M՗�u���0
	*�H��


0��10	UUS10Uwww.xrampsecurity.com1$0"U
XRamp Security Services Inc1-0+U$XRamp Global Certification Authority0
041101171404Z
350101053719Z0��10	UUS10Uwww.xrampsecurity.com1$0"U
XRamp Security Services Inc1-0+U$XRamp Global Certification Authority0�
"0
	*�H��



�
0�

�

�$����nj�'�8i�N�,.!\D�!]~#t�^~�J������[�gtk]��)��ٜ
�mv(X�e�J�y���1~�+���@;��ˢ�6`��0�m�n�3�_OaZ������;����k-4|�Ha��aD�o�J���M��4zr8�A�<�}�Ȧ�����3;�=7��z>�,�s�
W�d�����d�Z%"�4,��hmӊ�ď��#��z
�j�����Bg�%�E�!���|�b>���-���e

���0��0	+

�7CA0U
�0U

�0

�0U�O�=c�	��b���\��06U/0-0+�)�'�%http://crl.xrampsecurity.com/XGCA.crl0	+

�7


0
	*�H��


�

�9
g�J�
`[��M�b�$S'ׂdN�.�I+����xg5����H��
�?�ɶ�U�H���Y.[;�}G�7�_Mv6�ס�F �,m��
~?)����ɒs��d��+��,ҹ�}�o1������	y\#�M��!M�y���'���
��dA1�l�$��\q���~�j�!��ۦ�@��������=i��(��<����|@���C}��:����4�����	�;��L��'|B�t|��	ɴ%�1��0��

0��0��10	UUS10Uwww.xrampsecurity.com1$0"U
XRamp Security Services Inc1-0+U$XRamp Global Certification AuthorityE.3��]+*�c:=sRgy0	+��o0	*�H��

	1	*�H��


0	*�H��

	1
120214225253Z0#	*�H��

	1b�7g�N����(E�
u~�0��	+

�71��0��0��10	UUS10Uwww.xrampsecurity.com1$0"U
XRamp Security Services Inc1-0+U$XRamp Global Certification AuthorityE.3��]+*�c:=sRgy0��*�H��

	1�����0��10	UUS10Uwww.xrampsecurity.com1$0"U
XRamp Security Services Inc1-0+U$XRamp Global Certification AuthorityE.3��]+*�c:=sRgy0��	*�H��

	1��0��0	`�H
e
*0	`�H
e
0
*�H��
0	`�H
e
0*�H��
�0+0
*�H��

@0
*�H��

(0+0	`�H
e0	`�H
e0	`�H
e
0
*�H��
0
	*�H��



��j��.o�/%��	a浄q5�{���q��b�j����A���9��;����
�p��J���o�N���}
����L#�$lHR�w�m��$AZB��!@Z������y׭���l�"Ax�j2��b7

help

---

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55e71b64c62eb4468ce10e87770ba9eb>

Legal Notices | © 1995-2026 The FreeBSD Project. All rights reserved.

Contact