Date: Thu, 21 Oct 2021 01:46:01 +0100 From: Johannes Totz via freebsd-stable <freebsd-stable@freebsd.org> To: freebsd-stable@freebsd.org Subject: Re: ipfw antispoof differences between 12 and 13 Message-ID: <107ab48e-b3ae-0c3a-fd07-f4867e5fc962@bruelltuete.com> In-Reply-To: <cca95db7-a298-dc6f-a478-4821fa94e129@bruelltuete.com> References: <cca95db7-a298-dc6f-a478-4821fa94e129@bruelltuete.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 19/10/2021 21:20, Johannes Totz wrote: > Hi folks, > > are there any known differences for how ipfw's antispoof pattern works > between 12-stable and 13-stable? > > When upgrading to 13-stable, I've noticed that ipfw started rejecting > packets coming from an epair interface, based on an antispoof rule. > > On 12-stable, packets sent via epair (e.g. from inside a jail) do not > match, ie do not get rejected: > > ipfw add deny log ip from any to any not antispoof in > > On 13-stable, those packets suddenly match and get rejected. > > Are epair interfaces no longer considered "directly connected"? > > > One odd thing I've noticed (since 12-stable) with ipfw logs is that > packets from an epair interface are logged as coming via loopback. > Here's an example (on 13-stable), from /var/security.log: > > host kernel: ipfw: 3600 Accept UDP x.x.x.x:58297 x.x.x.x:53 out via lo0 > host kernel: ipfw: 500 Deny UDP x.x.x.x:58297 x.x.x.x:53 in via lo0 > host kernel: ipfw: 3600 Accept UDP x.x.x.x:19109 x.x.x.x:53 out via lo0 > host kernel: ipfw: 500 Deny UDP x.x.x.x:19109 x.x.x.x:53 in via lo0 > > Rule 3600 is an explicit accept for that epair interface. > Rule 500 is the antispoof rule above. The address x.x.x.x is explicitly > configured for one half of this epair interface. > > There's a paragraph in the ipfw manpage that sounds like this epair vs > loopback confusing might be the cause of it. Ah nvm, it was a routing mistake. Fixing up the routing table by hand makes things work again with antispoof and the ipfw log looks much better as well.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?107ab48e-b3ae-0c3a-fd07-f4867e5fc962>