From owner-freebsd-ipfw@freebsd.org Tue Dec 1 17:50:29 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AEAE5A3E966 for ; Tue, 1 Dec 2015 17:50:29 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 81D0E1220 for ; Tue, 1 Dec 2015 17:50:29 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 4592220D23 for ; Tue, 1 Dec 2015 12:50:28 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute2.internal (MEProxy); Tue, 01 Dec 2015 12:50:28 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=Iu56sJm3bMoasVH ovXkWjnS7aes=; b=FsentpVHDbYTEXWDOyZ6XlaTmhCW8N51LraM2izPhGk7+5s RveWl4AjN7OILEiY+9qvcmga2H6qlwKjFXALMQ7LvmVEIfyCoqQWtjzOfvX0c4Xn 79HqWcqghiXmDsZQgn3MrP0lSWuONx4aEer6UF05uCmmKKkZrpA/ACLBSD40= Received: by web3.nyi.internal (Postfix, from userid 99) id 1BE7E10D6CA; Tue, 1 Dec 2015 12:50:28 -0500 (EST) Message-Id: <1448992228.1319754.454925001.2A341FB4@webmail.messagingengine.com> X-Sasl-Enc: BZ+wCaumqjtbTlnz030oMqYJ1ZcxDPUZawL+t3vK4HJ7 1448992228 From: Mark Felder To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-b94e6169 Subject: IPFW keep-state and software interfaces Date: Tue, 01 Dec 2015 11:50:28 -0600 In-Reply-To: References: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com> <1448956697.854911427.15is5btc@frv34.fwdcdn.com> <1448982333.1269981.454734633.11BA4DB2@webmail.messagingengine.com> X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 17:50:29 -0000 On Tue, Dec 1, 2015, at 10:27, elof2@sentor.se wrote: > On Tue, 1 Dec 2015, Mark Felder wrote: > > > > > > > On Tue, Dec 1, 2015, at 02:02, wishmaster wrote: > >> > >> Hi, Mark. > >> > >> > >>> I'm hoping someone can explain what happened here and this isn't a bug, > >>> but if it is a bug I'll gladly open a PR. > >>> > >>> I noticed in my ipfw logs that I was getting a log of "DENY" entries for > >>> an NTP server > >>> > >>> Nov 30 13:35:16 gw kernel: ipfw: 4540 Deny UDP > >>> [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in via gif0 > > Three long-shots: > > 1) > I see that you use a gif interface. That makes me wonder: > Do the 'keep-state' function in 'ipfw' work as bad as it does in 'pf'? > > In pf, 'keep state" doesn't keep state between software network > interfaces and real network interfaces. So if I allow something in via > tun0 (a software OpenVPN NIC), with keep state, the response is *not* > automatically (via the state table) allowed back in on the ethernet NIC > it > was sent out. So for all my VPN-rules, I have to make two of them like > this: > > Pf example: > pass in quick on tun0 inet proto tcp from to > port 22 keep state label "VpnIN - SSH" > pass out quick on em1 inet proto tcp from to > port 22 keep state label "DmzOUT - SSH" > Curious if anyone on the ipfw list can provide insight into IPFW's "keep-state" behavior with software network interfaces. Eg, with a gif tunnel for IPv6. If it's failing to match that might explain why I've witnessed NTP high-port responses get blocked on v6 but not v4. Why I'm even seeing high port usage for NTP is yet another mystery I'm trying to track down. -- Mark Felder ports-secteam member feld@FreeBSD.org