IPFW blocked my IPv6 NTP traffic
Charles Swiger
cswiger at mac.com
Mon Nov 30 22:45:28 UTC 2015
Hi, Mark--
On Nov 30, 2015, at 1:58 PM, Mark Felder <feld at FreeBSD.org> wrote:
> [ ... ]
> I noticed my outbound IPv6 didn't have $ks for udp, so I added it.
> However, that had no effect. The solution was to add an incoming rule:
>
> $cmd 03755 allow udp from any to any src-port 123 in via $pif6 $ks
>
> This seems wrong. Thoughts?
Yes, someone can perform a UDP scan of your network using source port
of 123. That's generally not a huge risk, but that very much depends
on what is binding to UDP protocol on your network.
(Note that using a UDP source port of 53 for scans is very popular as well.)
I don't know whether UDP keepstate is broken for IPv6, but freebsd-ipfw folks
might have more info.
Also note that performing stateful filtering of DNS and UDP traffic can
be a bad idea because of DoS potential. Consider something like this:
# allow DNS,NTP queries out in the world
add pass udp from MYNET HIPORTS to any 53,123
add pass udp from any 53,123 to MYNET HIPORTS
add pass udp from any 53,123 to any 53,123
# traceroute
add pass udp from any HIPORTS to any 33434-33523
# add any other expected UDP traffic here, ie:
# add pass udp from any 123,HIPORTS to MYNTPSERVER 123
# add pass udp from MYNTPSERVER 123 to any 123,HIPORTS
# and then log outgoing and block unexpected incoming UDP traffic
add pass log udp from MYNET to any
add unreach filter-prohib log udp from any to any
Regards,
--
-Chuck
PS: Yes, I think firewall_flags="-p cpp" is a reasonable choice, but /bin/sh is just fine if you prefer that. :-)
More information about the freebsd-net
mailing list