IPFW blocked my IPv6 NTP traffic
Mark Felder
feld at FreeBSD.org
Tue Dec 1 18:22:38 UTC 2015
On Tue, Dec 1, 2015, at 12:08, Gary Palmer wrote:
>
> Have you looked at the ipfw state tables to see if a state is recorded?
>
> ipfw -d list
>
> I think
>
Yes, and I can see the state especially for IPv6.
I think I have solved this mystery. There was a problem, and I solved
it, but then was fooled into thinking a problem persisted.
* keep-state was missing for some outbound IPv6 traffic
* IPv6 outbound NTP from my firewall was not using high ports, nor was
IPv4
* A host behind my firewall was found to be running ntpd and ntimed.
ntpd was pointed at the same pool as my firewall and I happened to see
some high-port traffic to the same servers I was associated with.
* This host behind my firewall also has an almost identical IPv6 address
with one octet being a single digit off (1f11 vs 1f10) as well as shares
the same outbound IPv4 address ...
* There was an issue with an IPv6 NTP server or I misread the NTP output
(it was stuck in STEP and seemed to go away when I added an IPFW rule)
* The combination of these coincidences caused confusion and fooled me
into thinking the source was the firewall.
I'm now confident the keep-state works for IPv6 gif interfaces in IPFW
as I can see the states and am now guilty of wasting your time and INBOX
space. :)
At least I was able to find two problems and solve them. Thanks, IPFW
logging!
--
Mark Felder
ports-secteam member
feld at FreeBSD.org
More information about the freebsd-net
mailing list