IPFW blocked my IPv6 NTP traffic

Mark Felder feld at FreeBSD.org
Tue Dec 1 18:22:38 UTC 2015



On Tue, Dec 1, 2015, at 12:08, Gary Palmer wrote:
> 
> Have you looked at the ipfw state tables to see if a state is recorded?
> 
> ipfw -d list
> 
> I think
> 

Yes, and I can see the state especially for IPv6.

I think I have solved this mystery. There was a problem, and I solved
it, but then was fooled into thinking a problem persisted.

* keep-state was missing for some outbound IPv6 traffic
* IPv6 outbound NTP from my firewall was not using high ports, nor was
IPv4
* A host behind my firewall was found to be running ntpd and ntimed.
ntpd was pointed at the same pool as my firewall and I happened to see
some high-port traffic to the same servers I was associated with.
* This host behind my firewall also has an almost identical IPv6 address
with one octet being a single digit off (1f11 vs 1f10) as well as shares
the same outbound IPv4 address ...
* There was an issue with an IPv6 NTP server or I misread the NTP output
(it was stuck in STEP and seemed to go away when I added an IPFW rule)
* The combination of these coincidences caused confusion and fooled me
into thinking the source was the firewall.

I'm now confident the keep-state works for IPv6 gif interfaces in IPFW
as I can see the states and am now guilty of wasting your time and INBOX
space. :)

At least I was able to find two problems and solve them. Thanks, IPFW
logging!


-- 
  Mark Felder
  ports-secteam member
  feld at FreeBSD.org


More information about the freebsd-net mailing list