IPFW blocked my IPv6 NTP traffic

Mark Felder feld at FreeBSD.org
Tue Dec 1 18:00:49 UTC 2015 


On Tue, Dec 1, 2015, at 09:16, wishmaster wrote:
>  
>  --- Original message ---
>  From: "Mark Felder" <feld at freebsd.org>
>  Date: 1 December 2015, 17:05:35
>   
> 
> > 
> > 
> > On Tue, Dec 1, 2015, at 02:02, wishmaster wrote:
> > > 
> > > Hi, Mark.
> > > 
> > > 
> > > > I'm hoping someone can explain what happened here and this isn't a bug,
> > > > but if it is a bug I'll gladly open a PR.
> > > > 
> > > > I noticed in my ipfw logs that I was getting a log of "DENY" entries for
> > > > an NTP server
> > > > 
> > > > Nov 30 13:35:16 gw kernel: ipfw: 4540 Deny UDP
> > > > [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in via gif0
> > > > 
> > > > Strange... I looked at ntpq output and sure enough I was trying to
> > > > communicate with that server. But why was it getting blocked? I don't
> > > > have a rule to allow IPv4 input from source port 123. I expected IPFW to
> > > > handle this for me. I know UDP is stateless, but firewalls are usually
> > > > able to "keep state" for UDP. I looked at my v4 rules which and I have
> > > > keep-state on there:
> > > > 
> > > > # Allow all outgoing, skip to NAT
> > > > ######################################
> > > > $cmd 01300 skipto 5000 tcp from any to any out via $pif $ks
> > > > $cmd 01310 skipto 5000 udp from any to any out via $pif $ks
> > > > $cmd 01320 skipto 5000 icmp from any to any out via $pif
> > > > ######################################
> > > > 
> > > > I noticed my outbound IPv6 didn't have $ks for udp, so I added it.
> > > > However, that had no effect. The solution was to add an incoming rule:
> > > > 
> > > > $cmd 03755 allow udp from any to any src-port 123 in via $pif6 $ks
> > > > 
> > > > This seems wrong. Thoughts?
> > > > 
> > > 
> > > What is your 5000 rule?
> > > 
> > 
> > $cmd 05000 nat 1 ip4 from any to any out via $pif
> 
>  Hey. As I understand, there is a problem in connection clients from Inet
>  with your NTP server. If yes, why do you use NAT rule?
> 
> 

That's the NAT rule for my home network for outbound IPv4. It's working
as expected.

Outbound NTP traffic on high ports (not 123) works fine with IPv4. The
reply from the NTP server is allowed through, presumably from the
keep-state rule on outbound UDP traffic.

Outbound NTP traffic on high ports with IPv6 is allowed outbound but the
replies denied inbound. This has been my source of confusion and concern
considering it should have been allowed by keep-state.


-- 
  Mark Felder
  ports-secteam member
  feld at FreeBSD.org

More information about the freebsd-net mailing list