Re: ipfw antispoof differences between 12 and 13

From: Johannes Totz via freebsd-stable <freebsd-stable_at_freebsd.org>
Date: Thu, 21 Oct 2021 01:46:01 +0100
On 19/10/2021 21:20, Johannes Totz wrote:
> Hi folks,
> 
> are there any known differences for how ipfw's antispoof pattern works 
> between 12-stable and 13-stable?
> 
> When upgrading to 13-stable, I've noticed that ipfw started rejecting 
> packets coming from an epair interface, based on an antispoof rule.
> 
> On 12-stable, packets sent via epair (e.g. from inside a jail) do not 
> match, ie do not get rejected:
> 
> ipfw add deny log ip from any to any not antispoof in
> 
> On 13-stable, those packets suddenly match and get rejected.
> 
> Are epair interfaces no longer considered "directly connected"?
> 
> 
> One odd thing I've noticed (since 12-stable) with ipfw logs is that 
> packets from an epair interface are logged as coming via loopback. 
> Here's an example (on 13-stable), from /var/security.log:
> 
> host kernel: ipfw: 3600 Accept UDP x.x.x.x:58297 x.x.x.x:53 out via lo0
> host kernel: ipfw: 500 Deny UDP x.x.x.x:58297 x.x.x.x:53 in via lo0
> host kernel: ipfw: 3600 Accept UDP x.x.x.x:19109 x.x.x.x:53 out via lo0
> host kernel: ipfw: 500 Deny UDP x.x.x.x:19109 x.x.x.x:53 in via lo0
> 
> Rule 3600 is an explicit accept for that epair interface.
> Rule 500 is the antispoof rule above. The address x.x.x.x is explicitly 
> configured for one half of this epair interface.
> 
> There's a paragraph in the ipfw manpage that sounds like this epair vs 
> loopback confusing might be the cause of it.

Ah nvm, it was a routing mistake. Fixing up the routing table by hand 
makes things work again with antispoof and the ipfw log looks much 
better as well.
Received on Thu Oct 21 2021 - 00:46:01 UTC

Original text of this message