IPFW blocked my IPv6 NTP traffic
Mark Felder
feld at FreeBSD.org
Tue Dec 1 16:52:28 UTC 2015
On Tue, Dec 1, 2015, at 10:50, elof2 at sentor.se wrote:
>
> Not that this helps this thread to move on, but just to clarify:
>
> In this case, the NAT that would introduce the randomized src port would
> be *your* NAT, not a NAT at pool.ntp.org.
>
>
> Deny UDP [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in
> via gif0
>
> The blocked response came from port 123 just as expected.
>
> If the client truly sent out a query from src port 123, then it must have
> been your NAT that picked a free random port to use for its outgoing
> connection, i.e. port 58285.
> The server then respond back to your NAT-IP 2001:470:1f11:1e8::2 at port
> 58285.
> Your NAT should receive the packet, match it against its NAT table, find
> that it has indeed an ongoing UDP connection for that particular flow, so
> it rewrites the dst IP and dst port to your original internal IP address
> and original port (123) and send it back to the client.
>
> /Elof
>
There's no NAT involved with my IPv6.
--
Mark Felder
ports-secteam member
feld at FreeBSD.org
More information about the freebsd-net
mailing list