Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 21 Oct 2021 01:46:01 +0100
From:      Johannes Totz via freebsd-stable <freebsd-stable@freebsd.org>
To:        freebsd-stable@freebsd.org
Subject:   Re: ipfw antispoof differences between 12 and 13
Message-ID:  <107ab48e-b3ae-0c3a-fd07-f4867e5fc962@bruelltuete.com>
In-Reply-To: <cca95db7-a298-dc6f-a478-4821fa94e129@bruelltuete.com>
index | next in thread | previous in thread | raw e-mail 

On 19/10/2021 21:20, Johannes Totz wrote:
> Hi folks,
> 
> are there any known differences for how ipfw's antispoof pattern works 
> between 12-stable and 13-stable?
> 
> When upgrading to 13-stable, I've noticed that ipfw started rejecting 
> packets coming from an epair interface, based on an antispoof rule.
> 
> On 12-stable, packets sent via epair (e.g. from inside a jail) do not 
> match, ie do not get rejected:
> 
> ipfw add deny log ip from any to any not antispoof in
> 
> On 13-stable, those packets suddenly match and get rejected.
> 
> Are epair interfaces no longer considered "directly connected"?
> 
> 
> One odd thing I've noticed (since 12-stable) with ipfw logs is that 
> packets from an epair interface are logged as coming via loopback. 
> Here's an example (on 13-stable), from /var/security.log:
> 
> host kernel: ipfw: 3600 Accept UDP x.x.x.x:58297 x.x.x.x:53 out via lo0
> host kernel: ipfw: 500 Deny UDP x.x.x.x:58297 x.x.x.x:53 in via lo0
> host kernel: ipfw: 3600 Accept UDP x.x.x.x:19109 x.x.x.x:53 out via lo0
> host kernel: ipfw: 500 Deny UDP x.x.x.x:19109 x.x.x.x:53 in via lo0
> 
> Rule 3600 is an explicit accept for that epair interface.
> Rule 500 is the antispoof rule above. The address x.x.x.x is explicitly 
> configured for one half of this epair interface.
> 
> There's a paragraph in the ipfw manpage that sounds like this epair vs 
> loopback confusing might be the cause of it.

Ah nvm, it was a routing mistake. Fixing up the routing table by hand 
makes things work again with antispoof and the ipfw log looks much 
better as well.
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?107ab48e-b3ae-0c3a-fd07-f4867e5fc962>