IPFW blocked my IPv6 NTP traffic
elof2 at sentor.se
elof2 at sentor.se
Tue Dec 1 17:03:54 UTC 2015
On Tue, 1 Dec 2015, Mark Felder wrote:
>
>
> On Tue, Dec 1, 2015, at 10:50, elof2 at sentor.se wrote:
>>
>> Not that this helps this thread to move on, but just to clarify:
>>
>> In this case, the NAT that would introduce the randomized src port would
>> be *your* NAT, not a NAT at pool.ntp.org.
>>
>>
>> Deny UDP [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in
>> via gif0
>>
>> The blocked response came from port 123 just as expected.
>>
>> If the client truly sent out a query from src port 123, then it must have
>> been your NAT that picked a free random port to use for its outgoing
>> connection, i.e. port 58285.
>> The server then respond back to your NAT-IP 2001:470:1f11:1e8::2 at port
>> 58285.
>> Your NAT should receive the packet, match it against its NAT table, find
>> that it has indeed an ongoing UDP connection for that particular flow, so
>> it rewrites the dst IP and dst port to your original internal IP address
>> and original port (123) and send it back to the client.
>>
>> /Elof
>>
>
> There's no NAT involved with my IPv6.
Good. :-)
As I was saying, this was just a sidetrack to clarify that the portNAT
would not be located at the ntp-server side.
/Elof
More information about the freebsd-net
mailing list