IPFW blocked my IPv6 NTP traffic

wishmaster artemrts at ukr.net
Tue Dec 1 15:36:22 UTC 2015 

 
 --- Original message ---
 From: "Mark Felder" <feld at freebsd.org>
 Date: 1 December 2015, 17:05:35
  

> 
> 
> On Tue, Dec 1, 2015, at 02:02, wishmaster wrote:
> > 
> > Hi, Mark.
> > 
> > 
> > > I'm hoping someone can explain what happened here and this isn't a bug,
> > > but if it is a bug I'll gladly open a PR.
> > > 
> > > I noticed in my ipfw logs that I was getting a log of "DENY" entries for
> > > an NTP server
> > > 
> > > Nov 30 13:35:16 gw kernel: ipfw: 4540 Deny UDP
> > > [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in via gif0
> > > 
> > > Strange... I looked at ntpq output and sure enough I was trying to
> > > communicate with that server. But why was it getting blocked? I don't
> > > have a rule to allow IPv4 input from source port 123. I expected IPFW to
> > > handle this for me. I know UDP is stateless, but firewalls are usually
> > > able to "keep state" for UDP. I looked at my v4 rules which and I have
> > > keep-state on there:
> > > 
> > > # Allow all outgoing, skip to NAT
> > > ######################################
> > > $cmd 01300 skipto 5000 tcp from any to any out via $pif $ks
> > > $cmd 01310 skipto 5000 udp from any to any out via $pif $ks
> > > $cmd 01320 skipto 5000 icmp from any to any out via $pif
> > > ######################################
> > > 
> > > I noticed my outbound IPv6 didn't have $ks for udp, so I added it.
> > > However, that had no effect. The solution was to add an incoming rule:
> > > 
> > > $cmd 03755 allow udp from any to any src-port 123 in via $pif6 $ks
> > > 
> > > This seems wrong. Thoughts?
> > > 
> > 
> > What is your 5000 rule?
> > 
> 
> $cmd 05000 nat 1 ip4 from any to any out via $pif

 Hey. As I understand, there is a problem in connection clients from Inet with your NTP server. If yes, why do you use NAT rule?


> > In general on public interface you should:
> > $cmd 12345 allow log all from any to me 123 $ks
> > 
> > And for outgoing traffic just:
> > $cmd 1234 allow log all from me to any $ks
> > 
> > This works for me.
> > 

--
Vitaliy

More information about the freebsd-net mailing list