From owner-freebsd-ipfw@freebsd.org Tue Dec 1 18:23:59 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0E3B9A3E35D for ; Tue, 1 Dec 2015 18:23:59 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D44E91F9E for ; Tue, 1 Dec 2015 18:23:58 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D391E204B6 for ; Tue, 1 Dec 2015 13:23:57 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute4.internal (MEProxy); Tue, 01 Dec 2015 13:23:57 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=y6hjFFRQVJP8YZB znj1amV0c2Pw=; b=IhjCSVbhgSY1BP2AnRc1lOdWwZp3Jwy6QzE3x02i+ek3j5P b/MfMhRLWX/wtorNjgl9NkROYZKLlw+faDyMUWY+H8U5RiFuKsKA2Z82mfCGSo8G K6HOXT9Nt8L+F3XlxXuZFe/G2O0J1ZqCJI7bzgtGMLgjnT5J9+K6BvvTQ/rY= Received: by web3.nyi.internal (Postfix, from userid 99) id A934210D828; Tue, 1 Dec 2015 13:23:57 -0500 (EST) Message-Id: <1448994237.1328914.454960825.14BECB56@webmail.messagingengine.com> X-Sasl-Enc: zmpgyGAuad907GuyNd+ininjrAtp+fKsB1GMgO5/2/Et 1448994237 From: Mark Felder To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-b94e6169 In-Reply-To: <1448992228.1319754.454925001.2A341FB4@webmail.messagingengine.com> References: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com> <1448956697.854911427.15is5btc@frv34.fwdcdn.com> <1448982333.1269981.454734633.11BA4DB2@webmail.messagingengine.com> <1448992228.1319754.454925001.2A341FB4@webmail.messagingengine.com> Subject: Re: IPFW keep-state and software interfaces Date: Tue, 01 Dec 2015 12:23:57 -0600 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 18:23:59 -0000 On Tue, Dec 1, 2015, at 11:50, Mark Felder wrote: > > > On Tue, Dec 1, 2015, at 10:27, elof2@sentor.se wrote: > > On Tue, 1 Dec 2015, Mark Felder wrote: > > > > > > > > > > > On Tue, Dec 1, 2015, at 02:02, wishmaster wrote: > > >> > > >> Hi, Mark. > > >> > > >> > > >>> I'm hoping someone can explain what happened here and this isn't a bug, > > >>> but if it is a bug I'll gladly open a PR. > > >>> > > >>> I noticed in my ipfw logs that I was getting a log of "DENY" entries for > > >>> an NTP server > > >>> > > >>> Nov 30 13:35:16 gw kernel: ipfw: 4540 Deny UDP > > >>> [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in via gif0 > > > > Three long-shots: > > > > 1) > > I see that you use a gif interface. That makes me wonder: > > Do the 'keep-state' function in 'ipfw' work as bad as it does in 'pf'? > > > > In pf, 'keep state" doesn't keep state between software network > > interfaces and real network interfaces. So if I allow something in via > > tun0 (a software OpenVPN NIC), with keep state, the response is *not* > > automatically (via the state table) allowed back in on the ethernet NIC > > it > > was sent out. So for all my VPN-rules, I have to make two of them like > > this: > > > > Pf example: > > pass in quick on tun0 inet proto tcp from to > > port 22 keep state label "VpnIN - SSH" > > pass out quick on em1 inet proto tcp from to > > port 22 keep state label "DmzOUT - SSH" > > > > Curious if anyone on the ipfw list can provide insight into IPFW's > "keep-state" behavior with software network interfaces. Eg, with a gif > tunnel for IPv6. If it's failing to match that might explain why I've > witnessed NTP high-port responses get blocked on v6 but not v4. > > Why I'm even seeing high port usage for NTP is yet another mystery I'm > trying to track down. > I solved my mystery: it was another host behind my firewall with almost identical IPv6 address. IPv6 "keep-state" with my gif tunnel is working correctly. Nothing to see here, move along. :) -- Mark Felder ports-secteam member feld@FreeBSD.org