IPFW keep-state and software interfaces
Mark Felder
feld at FreeBSD.org
Tue Dec 1 17:50:29 UTC 2015
On Tue, Dec 1, 2015, at 10:27, elof2 at sentor.se wrote:
> On Tue, 1 Dec 2015, Mark Felder wrote:
>
> >
> >
> > On Tue, Dec 1, 2015, at 02:02, wishmaster wrote:
> >>
> >> Hi, Mark.
> >>
> >>
> >>> I'm hoping someone can explain what happened here and this isn't a bug,
> >>> but if it is a bug I'll gladly open a PR.
> >>>
> >>> I noticed in my ipfw logs that I was getting a log of "DENY" entries for
> >>> an NTP server
> >>>
> >>> Nov 30 13:35:16 gw kernel: ipfw: 4540 Deny UDP
> >>> [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in via gif0
>
> Three long-shots:
>
> 1)
> I see that you use a gif interface. That makes me wonder:
> Do the 'keep-state' function in 'ipfw' work as bad as it does in 'pf'?
>
> In pf, 'keep state" doesn't keep state between software network
> interfaces and real network interfaces. So if I allow something in via
> tun0 (a software OpenVPN NIC), with keep state, the response is *not*
> automatically (via the state table) allowed back in on the ethernet NIC
> it
> was sent out. So for all my VPN-rules, I have to make two of them like
> this:
>
> Pf example:
> pass in quick on tun0 inet proto tcp from <trusted_networks> to
> <customer_nets> port 22 keep state label "VpnIN - SSH"
> pass out quick on em1 inet proto tcp from <trusted_networks> to
> <customer_nets> port 22 keep state label "DmzOUT - SSH"
>
Curious if anyone on the ipfw list can provide insight into IPFW's
"keep-state" behavior with software network interfaces. Eg, with a gif
tunnel for IPv6. If it's failing to match that might explain why I've
witnessed NTP high-port responses get blocked on v6 but not v4.
Why I'm even seeing high port usage for NTP is yet another mystery I'm
trying to track down.
--
Mark Felder
ports-secteam member
feld at FreeBSD.org
More information about the freebsd-ipfw
mailing list