From owner-freebsd-net@freebsd.org Mon Nov 30 22:45:28 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0ECADA3D87A for ; Mon, 30 Nov 2015 22:45:28 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-in6.apple.com (mail-out6.apple.com [17.151.62.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DFCB31C95; Mon, 30 Nov 2015 22:45:27 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay3.apple.com (relay3.apple.com [17.128.113.83]) by mail-in6.apple.com (Apple Secure Mail Relay) with SMTP id C3.D8.09556.681DC565; Mon, 30 Nov 2015 14:45:26 -0800 (PST) X-AuditID: 11973e15-f79be6d000002554-d8-565cd186721f Received: from [17.149.224.20] (Unknown_Domain [17.149.224.20]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by relay3.apple.com (Apple SCV relay) with SMTP id E0.E2.05180.681DC565; Mon, 30 Nov 2015 14:45:26 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) Subject: Re: IPFW blocked my IPv6 NTP traffic From: Charles Swiger In-Reply-To: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com> Date: Mon, 30 Nov 2015 14:45:26 -0800 Cc: freebsd-net@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <86B10B8B-6A12-41AB-9C19-17F7E65CDBB4@mac.com> References: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com> To: Mark Felder X-Mailer: Apple Mail (2.3112) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrOLMWRmVeSWpSXmKPExsUi2FAYrNt2MSbMYGGbrsWuvoVsFh92tDM5 MHnM+DSfJYAxissmJTUnsyy1SN8ugSvj6qHbTAUHeSr2b7rO1MD4iLOLkZNDQsBEYu3EuWwQ tpjEhXvrgWwuDiGBvYwS5+YvZYIpWvRkHSNEYiqTxKWunywgCWYBLYkb/16CFfEK6EmcWLWb FcQWFtCVOHntEVANBwebgJrEhIk8ICangL/E5G4HkAoWAVWJz/+Os4OEmQWkJRb8iYEYqC2x bOFrZoiBVhJHP14AGygk4CexdMtfsEUiAkoSiz6cZoe4TFZi34YFUOe/ZZXYe0ZuAqPQLCS3 zUJy2ywkKxYwMq9iFMpNzMzRzcwz00ssKMhJ1UvOz93ECArZ6XaiOxjPrLI6xCjAwajEwyux NiZMiDWxrLgy9xCjNAeLkjjvkhKgkEB6YklqdmpqQWpRfFFpTmrxIUYmDk6pBsZJnXt1LEJP Vkw+FeQq3Nt7pfPA7eOMycGm91WC4t+fNj7w6WfWO58mi2+Olae32/xht1DKX1nrK3ArJzgz LWYNg/DXtzJu23nS/7+NWigob7XwgPtbPZ1FVacDL4eacfYduDBPPKAkQPBtvNyeRZ6eLxJ+ Tr7FbBc6P6jZ16Tp+xEfodP705VYijMSDbWYi4oTAVT8c2s6AgAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprNLMWRmVeSWpSXmKPExsUiOPWBiG7bxZgwg0+bNC129S1ks/iwo53J gcljxqf5LAGMUVw2Kak5mWWpRfp2CVwZVw/dZio4yFOxf9N1pgbGR5xdjJwcEgImEouerGOE sMUkLtxbz9bFyMUhJDCVSeJS108WkASzgJbEjX8vmUBsXgE9iROrdrOC2MICuhInrz0CquHg YBNQk5gwkQfE5BTwl5jc7QBSwSKgKvH533F2kDCzgLTEgj8xEAO1JZYtfM0MMdBK4ujHC2AD hQT8JJZu+Qu2SERASWLRh9PsEJfJSuzbsIBtAiP/LCT3zEJyzywkYxcwMq9iFChKzUmsNNZL LCjISdVLzs/dxAgKsobC4B2Mf5ZZHWIU4GBU4uGVWBsTJsSaWFZcmXuIUYKDWUmE99UeoBBv SmJlVWpRfnxRaU5q8SFGaQ4WJXHeilX+YUIC6YklqdmpqQWpRTBZJg5OqQbGMO08jZtid6ND gt3nlMWaiWZp9TLssGjh9tjzIvjLqzz55PTnJz9e41RaoZs8yezQj+aH2l72yedqOeX2HVyq eT/70Aqthgnzrqblntnw5Jjgh9uCtqa1G16+i0syM1jw/Z7Z7JkNN4p2MoR+6+ENjRdgXMzF bxaUYnWt/Oi6Jfc+PjJc9nWGEktxRqKhFnNRcSIAZ8xG0i4CAAA= X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 22:45:28 -0000 Hi, Mark-- On Nov 30, 2015, at 1:58 PM, Mark Felder wrote: > [ ... ] > I noticed my outbound IPv6 didn't have $ks for udp, so I added it. > However, that had no effect. The solution was to add an incoming rule: >=20 > $cmd 03755 allow udp from any to any src-port 123 in via $pif6 $ks >=20 > This seems wrong. Thoughts? Yes, someone can perform a UDP scan of your network using source port of 123. That's generally not a huge risk, but that very much depends on what is binding to UDP protocol on your network. (Note that using a UDP source port of 53 for scans is very popular as = well.) I don't know whether UDP keepstate is broken for IPv6, but freebsd-ipfw = folks might have more info. Also note that performing stateful filtering of DNS and UDP traffic can be a bad idea because of DoS potential. Consider something like this: # allow DNS,NTP queries out in the world add pass udp from MYNET HIPORTS to any 53,123 add pass udp from any 53,123 to MYNET HIPORTS add pass udp from any 53,123 to any 53,123 # traceroute add pass udp from any HIPORTS to any 33434-33523 # add any other expected UDP traffic here, ie: # add pass udp from any 123,HIPORTS to MYNTPSERVER 123 # add pass udp from MYNTPSERVER 123 to any 123,HIPORTS # and then log outgoing and block unexpected incoming UDP traffic add pass log udp from MYNET to any add unreach filter-prohib log udp from any to any Regards, --=20 -Chuck PS: Yes, I think firewall_flags=3D"-p cpp" is a reasonable choice, but = /bin/sh is just fine if you prefer that. :-)=