Date: Tue, 1 Dec 2015 18:03:51 +0100 (CET) From: elof2@sentor.se To: Mark Felder <feld@FreeBSD.org> Cc: freebsd-net <freebsd-net@freebsd.org>, Matthew Seaman <matthew@FreeBSD.org> Subject: Re: IPFW blocked my IPv6 NTP traffic Message-ID: <alpine.BSF.2.00.1512011758470.54839@farmermaggot.shire.sentor.se> In-Reply-To: <1448988747.1302736.454866425.02D98B53@webmail.messagingengine.com> References: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com> <1448956697.854911427.15is5btc@frv34.fwdcdn.com> <1448982333.1269981.454734633.11BA4DB2@webmail.messagingengine.com> <565DBA5B.20203@FreeBSD.org> <alpine.BSF.2.00.1512011650350.54839@farmermaggot.shire.sentor.se> <1448986156.1288999.454817825.3C08D1EA@webmail.messagingengine.com> <alpine.BSF.2.00.1512011734490.54839@farmermaggot.shire.sentor.se> <1448988747.1302736.454866425.02D98B53@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 1 Dec 2015, Mark Felder wrote: > > > On Tue, Dec 1, 2015, at 10:50, elof2@sentor.se wrote: >> >> Not that this helps this thread to move on, but just to clarify: >> >> In this case, the NAT that would introduce the randomized src port would >> be *your* NAT, not a NAT at pool.ntp.org. >> >> >> Deny UDP [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in >> via gif0 >> >> The blocked response came from port 123 just as expected. >> >> If the client truly sent out a query from src port 123, then it must have >> been your NAT that picked a free random port to use for its outgoing >> connection, i.e. port 58285. >> The server then respond back to your NAT-IP 2001:470:1f11:1e8::2 at port >> 58285. >> Your NAT should receive the packet, match it against its NAT table, find >> that it has indeed an ongoing UDP connection for that particular flow, so >> it rewrites the dst IP and dst port to your original internal IP address >> and original port (123) and send it back to the client. >> >> /Elof >> > > There's no NAT involved with my IPv6. Good. :-) As I was saying, this was just a sidetrack to clarify that the portNAT would not be located at the ntp-server side. /Elof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1512011758470.54839>