IPFW blocked my IPv6 NTP traffic
Mark Felder
feld at FreeBSD.org
Mon Nov 30 21:58:28 UTC 2015
I'm hoping someone can explain what happened here and this isn't a bug,
but if it is a bug I'll gladly open a PR.
I noticed in my ipfw logs that I was getting a log of "DENY" entries for
an NTP server
Nov 30 13:35:16 gw kernel: ipfw: 4540 Deny UDP
[2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in via gif0
Strange... I looked at ntpq output and sure enough I was trying to
communicate with that server. But why was it getting blocked? I don't
have a rule to allow IPv4 input from source port 123. I expected IPFW to
handle this for me. I know UDP is stateless, but firewalls are usually
able to "keep state" for UDP. I looked at my v4 rules which and I have
keep-state on there:
# Allow all outgoing, skip to NAT
######################################
$cmd 01300 skipto 5000 tcp from any to any out via $pif $ks
$cmd 01310 skipto 5000 udp from any to any out via $pif $ks
$cmd 01320 skipto 5000 icmp from any to any out via $pif
######################################
I noticed my outbound IPv6 didn't have $ks for udp, so I added it.
However, that had no effect. The solution was to add an incoming rule:
$cmd 03755 allow udp from any to any src-port 123 in via $pif6 $ks
This seems wrong. Thoughts?
--
Mark Felder
ports-secteam member
feld at FreeBSD.org
More information about the freebsd-net
mailing list