From owner-freebsd-net@freebsd.org Mon Nov 30 21:58:28 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6F66EA3DE39 for ; Mon, 30 Nov 2015 21:58:28 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 474701ACD for ; Mon, 30 Nov 2015 21:58:28 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 83C6E205F8 for ; Mon, 30 Nov 2015 16:58:26 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute4.internal (MEProxy); Mon, 30 Nov 2015 16:58:26 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-sasl-enc :x-sasl-enc; s=smtpout; bh=1Yy9dfuSkVOcmAXclkOzJu0HT9A=; b=Zr1vA xDQvVpVyl9Nd8Y8owvDmaYI7J2ehuxjG73qkoPOnFHAQNQsbY2g/4VQoMz914mwG d2bYB2hM0ZnASzqlcTqW517fSdHZV6EYmOD3ge/BFysVr2yEJlxEsLxBgE06Lo6q +bjoFxjEAUD37r5i5eNVWNatX09MU3Wzo1XK94= Received: by web3.nyi.internal (Postfix, from userid 99) id 5D65A103295; Mon, 30 Nov 2015 16:58:26 -0500 (EST) Message-Id: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com> X-Sasl-Enc: PO/FNSpwuRBQK26xQejbDZMuNJzvKT/WqdWs8J03ygEH 1448920706 From: Mark Felder To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-227d657c Subject: IPFW blocked my IPv6 NTP traffic Date: Mon, 30 Nov 2015 15:58:26 -0600 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 21:58:28 -0000 I'm hoping someone can explain what happened here and this isn't a bug, but if it is a bug I'll gladly open a PR. I noticed in my ipfw logs that I was getting a log of "DENY" entries for an NTP server Nov 30 13:35:16 gw kernel: ipfw: 4540 Deny UDP [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in via gif0 Strange... I looked at ntpq output and sure enough I was trying to communicate with that server. But why was it getting blocked? I don't have a rule to allow IPv4 input from source port 123. I expected IPFW to handle this for me. I know UDP is stateless, but firewalls are usually able to "keep state" for UDP. I looked at my v4 rules which and I have keep-state on there: # Allow all outgoing, skip to NAT ###################################### $cmd 01300 skipto 5000 tcp from any to any out via $pif $ks $cmd 01310 skipto 5000 udp from any to any out via $pif $ks $cmd 01320 skipto 5000 icmp from any to any out via $pif ###################################### I noticed my outbound IPv6 didn't have $ks for udp, so I added it. However, that had no effect. The solution was to add an incoming rule: $cmd 03755 allow udp from any to any src-port 123 in via $pif6 $ks This seems wrong. Thoughts? -- Mark Felder ports-secteam member feld@FreeBSD.org