Date: Tue, 01 Dec 2015 12:23:57 -0600 From: Mark Felder <feld@FreeBSD.org> To: freebsd-ipfw@freebsd.org Subject: Re: IPFW keep-state and software interfaces Message-ID: <1448994237.1328914.454960825.14BECB56@webmail.messagingengine.com> In-Reply-To: <1448992228.1319754.454925001.2A341FB4@webmail.messagingengine.com> References: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com> <1448956697.854911427.15is5btc@frv34.fwdcdn.com> <1448982333.1269981.454734633.11BA4DB2@webmail.messagingengine.com> <alpine.BSF.2.00.1512011702240.54839@farmermaggot.shire.sentor.se> <1448992228.1319754.454925001.2A341FB4@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 1, 2015, at 11:50, Mark Felder wrote: > > > On Tue, Dec 1, 2015, at 10:27, elof2@sentor.se wrote: > > On Tue, 1 Dec 2015, Mark Felder wrote: > > > > > > > > > > > On Tue, Dec 1, 2015, at 02:02, wishmaster wrote: > > >> > > >> Hi, Mark. > > >> > > >> > > >>> I'm hoping someone can explain what happened here and this isn't a bug, > > >>> but if it is a bug I'll gladly open a PR. > > >>> > > >>> I noticed in my ipfw logs that I was getting a log of "DENY" entries for > > >>> an NTP server > > >>> > > >>> Nov 30 13:35:16 gw kernel: ipfw: 4540 Deny UDP > > >>> [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in via gif0 > > > > Three long-shots: > > > > 1) > > I see that you use a gif interface. That makes me wonder: > > Do the 'keep-state' function in 'ipfw' work as bad as it does in 'pf'? > > > > In pf, 'keep state" doesn't keep state between software network > > interfaces and real network interfaces. So if I allow something in via > > tun0 (a software OpenVPN NIC), with keep state, the response is *not* > > automatically (via the state table) allowed back in on the ethernet NIC > > it > > was sent out. So for all my VPN-rules, I have to make two of them like > > this: > > > > Pf example: > > pass in quick on tun0 inet proto tcp from <trusted_networks> to > > <customer_nets> port 22 keep state label "VpnIN - SSH" > > pass out quick on em1 inet proto tcp from <trusted_networks> to > > <customer_nets> port 22 keep state label "DmzOUT - SSH" > > > > Curious if anyone on the ipfw list can provide insight into IPFW's > "keep-state" behavior with software network interfaces. Eg, with a gif > tunnel for IPv6. If it's failing to match that might explain why I've > witnessed NTP high-port responses get blocked on v6 but not v4. > > Why I'm even seeing high port usage for NTP is yet another mystery I'm > trying to track down. > I solved my mystery: it was another host behind my firewall with almost identical IPv6 address. IPv6 "keep-state" with my gif tunnel is working correctly. Nothing to see here, move along. :) -- Mark Felder ports-secteam member feld@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1448994237.1328914.454960825.14BECB56>