Re: Odd ipfw behavior with UDP query on the same host

Reply: Dan Mahoney (Ports): "Re: Odd ipfw behavior with UDP query on the same host"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Rodney W. Grimes <freebsd-rwg_at_gndrsh.dnsmgr.net>
Date: Sun, 04 Jun 2023 16:07:50 UTC

> Hey ipfw folks ? Im skipping questions@ and asking this directly here,
> 
> FreeBSD 12.4 (amd64)
> 
> Assume a partial firewall ruleset like this:
> 
> 00300  0   0 allow ip from any to any via lo0
> 00400  0   0 allow ip from any to any via lo1
> 00500  0   0 deny ip from any to 127.0.0.0/8 in
> 00600  0   0 deny ip from any to ::/64 in
> 01600  1 174 allow ip from any to me 53 in // DNS queries

1650 x x allow ip from me 53 to me in // DNS local answers

> 01700  1 293 allow ip from me 53 to any out // DNS responses
> 03000  0   0 reset log ip from any to any
> 65535  0   0 allow ip from any to any
> 
> For some reason, with the above, I?m able to query a DNS server living on my own (public) ipv6 interface, i,e:
> 
> dig @2001:b00b:6b:2::53 version.bind CH TXT:
> ;communications error to 2001:b00b:6b:2::53#53: timed out
> 
> This is not a bind config problem.  Bind answers from outside and everywhere else but itself.

We can argue about that, but given the below log entries your not using ::1
for local ipv6 dns, but your using your interface ipv6 address.
What is in your /etc/resolv.conf file?

> 
> ==
> 
> If I change rule 1600 to simply be "allow ip from any to me 53? it works.  
> 
> If I do ipfw disable firewall it works.  
> 
> Localhost always works.
As long as ipv4 is done first, if you flip the order of preference for
ipv4 and ipv6 it probably stops working.

> 
> Using the ipv4 address works.
> 
> ==
> 
>  It?s only when using an ipv6 interface ip on the same box that this breaks.  TCP also works, this only seems to be a UDP issue.

How are you testing the TCP?

> My best guess is something about the ?inbound/outbound? determination logic is weird in ipv6.
> 
> My log rule shows: 
> Jun  3 23:44:35 box kernel: ipfw: 3000 Deny UDP [2001:b00b:6b:2::53]:53 [2001:b00b:6b:2::53]:26588 in via em0
> Jun  3 23:44:40 box kernel: ipfw: 3000 Deny UDP [2001:b00b:6b:2::53]:53 [2001:b00b:6b:2::53]:32389 in via em0

The clue as to what is wrong is right here ----------------------------------------------------------^^^^^^^^^^

The src and dst IP address of those packets is the same, and I am going to assume that it is the
interface address of em0.  Nothing in your rule allows these packets through, which are local
answers from DNS to local queries made to that interface IP address.

> 
> ipv4 doesn?t show this problem.  Subnet masks and the like are correct.

ipv4 has a special loopback route on lo0 that does not exist for ipv6.
Look at:
	netstat -rn


> Any ideas?
> 
> -Dan

-- 
Rod Grimes                                                 rgrimes@freebsd.org