From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 14 23:23:03 2012 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 561E0106566B for ; Tue, 14 Feb 2012 23:23:03 +0000 (UTC) (envelope-from terrence@mediamonks.net) Received: from mail.mediamonks.net (mail.mediamonks.net [217.195.117.200]) by mx1.freebsd.org (Postfix) with ESMTP id BD9D48FC13 for ; Tue, 14 Feb 2012 23:23:02 +0000 (UTC) X-CGP-Sophos: Scanned and found clean X-Abuse-Info: Send abuse reports about this email to abuse@mediamonks.net Received: from [46.44.172.86] (account terrence@mediamonks.com) by mail.mediamonks.net (CommuniGate Pro IMAP 5.4.2) with XMIT id 8410389; Tue, 14 Feb 2012 23:53:00 +0100 Date: Tue, 14 Feb 2012 23:52:53 +0100 Organization: MediaMonks B.V. Message-Id: <55e71b64c62eb4468ce10e87770ba9eb@mediamonks.com> In-Reply-To: <4F3AD9F2.9020405@macfreek.nl> Thread-Topic: Local IPv6 traffic not send over loopback? Priority: Normal Importance: normal X-MSMail-Priority: normal X-Priority: 3 Sensitivity: Normal Thread-Index: Aczra2JQgy+gtAJ/T0ayR0dXVJsKkQ== From: "Terrence Koeman" To: "Freek Dijkstra" , "ipfw@freebsd.org" X-MAPI-Message-Class: IPM.Note.SMIME.MultipartSigned X-Mailer: CommuniGate Pro MAPI Connector 1.52.54.6/1.54.0.6 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_008A_01CCEB73.C4386B60" Cc: Subject: RE: Local IPv6 traffic not send over loopback? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2012 23:23:03 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_008A_01CCEB73.C4386B60 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Tue, 14 Feb 2012 at 23:02:26, Freek Dijkstra wrote: > Hi, > > I added a few rules to my firewall to prevent spoofing source IP > addresses. I encountered some (to me) unexpected behaviour where IPv6 > traffic originating at the host would match an ipfw rule with "in" and > "recv " set. > > I very much appreciate it if someone could replicate the following > behaviour, and report the results. > > 1. Add a firewall rule: > "count log ipv6 from me to me not recv lo0" > 2. On the host, ping6 to one of it's IP addresses. > > Here is the result for me: > > 2001:610:767:4ec1::1 is an IPv6 address of my host. So I would expect > that pinging the IP from host itself would use the loopback interface. > route get confirms this: > > % route get -inet6 2001:610:767:4ec1::1 > route to: 2001:610:767:4ec1::1 > destination: 2001:610:767:4ec1::1 > interface: lo0 > flags: > recvpipe sendpipe ssthresh rtt,msec mtu weight expire > 0 0 0 0 16384 1 0 > However, ipfw thinks the traffic is received through another interface: > > % ipfw add 1200 count log ipv6 from me to me not recv lo0 > % ipfw add 1201 count log ipv6 from me to me out not recv lo0 > % ipfw add 1202 count log ipv6 from me to me in not recv lo0 > % ping6 -c 1 2001:610:767:4ec1::1 > >> ipfw: 1200 Count ICMPv6:128.0 [2001:610:767:4ec1::1] >> [2001:610:767:4ec1::1] in via em3 ipfw: 1202 Count ICMPv6:128.0 >> [2001:610:767:4ec1::1] > [2001:610:767:4ec1::1] in via em3 > > To add to the confusion, if I would ping the host from an external > machine, the return traffic (ICMPv6:129 is the echo reply) would match a > "recv" interface as well, even though the ICMP packet originated from > the local machine: > > % ipfw add 1790 $actfake ipv6 from 2001:610:767::0/48 to any recv tun0 >> ipfw: 1790 Deny ICMPv6:129.0 [2001:610:767:4ec1::1] > [2001:610:108:2003:9159:9f48:e2c8:196a] out via tun0 > > IPv4 traffic behaves as I expect (traffic from me to me uses the > loopback interface; outgoing ICMP does not match a "recv" rule.) > > I did not expect this result. > 1. Could you replicate this behaviour? > 2. Is this intended behaviour? > 3. Is this a property of ipfw or the kernel? (e.g. should I report this > here or on freebsd-net?) > It looks like you're using a SIXXS tunnel, it might have something to do with that rather than it being ipv6. -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. ------=_NextPart_000_008A_01CCEB73.C4386B60 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIAjCCA8ow ggKyoAMCAQICEEUuM5TRXSsqy2M6PXNSZ3kwDQYJKoZIhvcNAQEFBQAwgYIxCzAJBgNVBAYTAlVT MR4wHAYDVQQLExV3d3cueHJhbXBzZWN1cml0eS5jb20xJDAiBgNVBAoTG1hSYW1wIFNlY3VyaXR5 IFNlcnZpY2VzIEluYzEtMCsGA1UEAxMkWFJhbXAgR2xvYmFsIENlcnRpZmljYXRpb24gQXV0aG9y aXR5MB4XDTExMDcxNjE0MDEyOVoXDTEyMDcxNjE1MTY1N1owdzEgMB4GA1UEAxQXdGVycmVuY2VA bWVkaWFtb25rcy5uZXQxDjAMBgNVBAgTBXNtaW1lMQswCQYDVQQGEwJVUzEmMCQGCSqGSIb3DQEJ ARYXdGVycmVuY2VAbWVkaWFtb25rcy5uZXQxDjAMBgNVBAoTBXNtaW1lMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQChRrpOuDewU94nfT8orYLjRRWCXIpT5sBcc2/xSaI00SPo6HK/G33JNyFS 1yZT/oiCZvF9EsD9cF14+ymWpoZ+14BSHJ9SD5rldKRQ7ETHEifLnM64oCp8Mh8HjzO/AvycbONu hC/iS380VIZqddDZych9+IMtNRMO4nSBFMQ35QIDAQABo4HJMIHGMAkGA1UdEwQCMAAwHQYDVR0O BBYEFDWoOhnIHkcHhg0ftxrYRqHL7x0xMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcD BDA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnNlY3VyZXRydXN0LmNvbS9YR0NBLmNybDBC BgNVHSAEOzA5MDcGCmCGSAGG/WQCAgEwKTAnBggrBgEFBQcCARYbaHR0cDovL3NzbC50cnVzdHdh dmUuY29tL0NBMA0GCSqGSIb3DQEBBQUAA4IBAQCM74qzG599TkL+P5DKV9+ZnN1QzKEXSV4DEC+m dRgBfPLKFZ3eyJoqVyfZIZswXMtvR4lZB7wGG9QDn+AZDjdJqJ84DNMma+MiifSP2unYI7pqV/5/ 972/C8pvjLbiNSsMWmNMJKKfMAIEU+nLiNGfqlOj1Pz5WEz5ljgLRmivLWDAv3w/vcc9mCxTXbR1 TPhSA8UrNhlQLwy9L5dl408ILyVT4VblPbT/6TQn9pRlqtAiwkORnpadC4cH0uwK+NGnN9yarSJC 9SHPRujqNvMX61ojgXEOGhY1lyL7z2S4Jc6912Ezb9TbCT8MYlZ2ILKDwt+cpjhhONtWt35w7jDr MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UE BhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2Vj dXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB dXRob3JpdHkwHhcNMDQxMTAxMTcxNDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMx HjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkg U2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3Jp dHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS638eMpSe2OAtp87ZOqCwu IR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCPKZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMx foArtYzAQDsRhtDLooY2YKTVMIJt2W7QDxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FE zG+gSqmUsE3a56k0enI4qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqs AxcZZPRaJSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNViPvry xS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud EwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASsjVy16bYbMDYGA1UdHwQvMC0wK6Ap oCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMC AQEwDQYJKoZIhvcNAQEFBQADggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc /Kh4ZzXxHfARvbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLaIR9NmXmd4c8n nxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSyi6mx5O+aGtA9aZnuqCij4Tyz 8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQO+7ETPTsJ3xCwnR8gooJybQDJbwxggOxMIID rQIBATCBlzCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9i YWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEEUuM5TRXSsqy2M6PXNSZ3kwCQYFKw4DAhoFAKCC Am8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIwMjE0MjI1MjUz WjAjBgkqhkiG9w0BCQQxFgQUYhTaDzcYZ6JOkouLyyhFqwp1fqgwgagGCSsGAQQBgjcQBDGBmjCB lzCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UE ChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkCEEUuM5TRXSsqy2M6PXNSZ3kwgaoGCyqGSIb3DQEJEAILMYGa oIGXMIGCMQswCQYDVQQGEwJVUzEeMBwGA1UECxMVd3d3LnhyYW1wc2VjdXJpdHkuY29tMSQwIgYD VQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMxLTArBgNVBAMTJFhSYW1wIEdsb2JhbCBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQIQRS4zlNFdKyrLYzo9c1JneTCBtwYJKoZIhvcNAQkPMYGp MIGmMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCgYIKoZIhvcNAwcwCwYJYIZIAWUDBAECMA4G CCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggqhkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDAHBgUr DgMCGjALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAsGCWCGSAFlAwQCATAKBggqhkiG9w0CBTAN BgkqhkiG9w0BAQEFAASBgGrX5wUub7QvJfr7GAlh5rWEcTXde6mq4qdxxOgFYhT7HWq42tr2QRIW 95r1ORvu6Tvi+pgG+gG+FXCuz0r3wvBvwE7u7at9AZP39fZMI/AkbEgbUoB35G0Wxs4kQVpC/xgb iSFAWpL24Pu6vHnXrbKQHtFs3yJBeOETajKRiWI3AAAAAAAA ------=_NextPart_000_008A_01CCEB73.C4386B60--