Date: Mon, 30 Nov 2015 15:58:26 -0600 From: Mark Felder <feld@FreeBSD.org> To: freebsd-net@freebsd.org Subject: IPFW blocked my IPv6 NTP traffic Message-ID: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com>
next in thread | raw e-mail | index | archive | help
I'm hoping someone can explain what happened here and this isn't a bug, but if it is a bug I'll gladly open a PR. I noticed in my ipfw logs that I was getting a log of "DENY" entries for an NTP server Nov 30 13:35:16 gw kernel: ipfw: 4540 Deny UDP [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in via gif0 Strange... I looked at ntpq output and sure enough I was trying to communicate with that server. But why was it getting blocked? I don't have a rule to allow IPv4 input from source port 123. I expected IPFW to handle this for me. I know UDP is stateless, but firewalls are usually able to "keep state" for UDP. I looked at my v4 rules which and I have keep-state on there: # Allow all outgoing, skip to NAT ###################################### $cmd 01300 skipto 5000 tcp from any to any out via $pif $ks $cmd 01310 skipto 5000 udp from any to any out via $pif $ks $cmd 01320 skipto 5000 icmp from any to any out via $pif ###################################### I noticed my outbound IPv6 didn't have $ks for udp, so I added it. However, that had no effect. The solution was to add an incoming rule: $cmd 03755 allow udp from any to any src-port 123 in via $pif6 $ks This seems wrong. Thoughts? -- Mark Felder ports-secteam member feld@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1448920706.962818.454005905.61CF9154>