From owner-freebsd-net@freebsd.org  Tue Dec  1 17:03:54 2015
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 39819A3ED67
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Tue,  1 Dec 2015 17:03:54 +0000 (UTC) (envelope-from elof2@sentor.se)
Received: from smtp-out.sentor.se (smtp-out.sentor.se [176.124.225.2])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id ECD5C106D;
 Tue,  1 Dec 2015 17:03:53 +0000 (UTC) (envelope-from elof2@sentor.se)
Received: from localhost (localhost [127.0.0.1])
 by farmermaggot.shire.sentor.se (Postfix) with ESMTP id 7A08AB61D233;
 Tue,  1 Dec 2015 18:03:51 +0100 (CET)
Date: Tue, 1 Dec 2015 18:03:51 +0100 (CET)
From: elof2@sentor.se
To: Mark Felder <feld@FreeBSD.org>
cc: freebsd-net <freebsd-net@freebsd.org>, 
 Matthew Seaman <matthew@FreeBSD.org>
Subject: Re: IPFW blocked my IPv6 NTP traffic
In-Reply-To: <1448988747.1302736.454866425.02D98B53@webmail.messagingengine.com>
Message-ID: <alpine.BSF.2.00.1512011758470.54839@farmermaggot.shire.sentor.se>
References: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com>
 <1448956697.854911427.15is5btc@frv34.fwdcdn.com>
 <1448982333.1269981.454734633.11BA4DB2@webmail.messagingengine.com>
 <565DBA5B.20203@FreeBSD.org>
 <alpine.BSF.2.00.1512011650350.54839@farmermaggot.shire.sentor.se>
 <1448986156.1288999.454817825.3C08D1EA@webmail.messagingengine.com>
 <alpine.BSF.2.00.1512011734490.54839@farmermaggot.shire.sentor.se>
 <1448988747.1302736.454866425.02D98B53@webmail.messagingengine.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2015 17:03:54 -0000

On Tue, 1 Dec 2015, Mark Felder wrote:

>
>
> On Tue, Dec 1, 2015, at 10:50, elof2@sentor.se wrote:
>>
>> Not that this helps this thread to move on, but just to clarify:
>>
>> In this case, the NAT that would introduce the randomized src port would
>> be *your* NAT, not a NAT at pool.ntp.org.
>>
>>
>> Deny UDP [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in
>> via gif0
>>
>> The blocked response came from port 123 just as expected.
>>
>> If the client truly sent out a query from src port 123, then it must have
>> been your NAT that picked a free random port to use for its outgoing
>> connection, i.e. port 58285.
>> The server then respond back to your NAT-IP 2001:470:1f11:1e8::2 at port
>> 58285.
>> Your NAT should receive the packet, match it against its NAT table, find
>> that it has indeed an ongoing UDP connection for that particular flow, so
>> it rewrites the dst IP and dst port to your original internal IP address
>> and original port (123) and send it back to the client.
>>
>> /Elof
>>
>
> There's no NAT involved with my IPv6.

Good. :-)

As I was saying, this was just a sidetrack to clarify that the portNAT 
would not be located at the ntp-server side.

/Elof