Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 30 Nov 2015 14:45:26 -0800
From:      Charles Swiger <cswiger@mac.com>
To:        Mark Felder <feld@FreeBSD.org>
Cc:        freebsd-net@freebsd.org
Subject:   Re: IPFW blocked my IPv6 NTP traffic
Message-ID:  <86B10B8B-6A12-41AB-9C19-17F7E65CDBB4@mac.com>
In-Reply-To: <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com>
References:  <1448920706.962818.454005905.61CF9154@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi, Mark--

On Nov 30, 2015, at 1:58 PM, Mark Felder <feld@FreeBSD.org> wrote:
> [ ... ]
> I noticed my outbound IPv6 didn't have $ks for udp, so I added it.
> However, that had no effect. The solution was to add an incoming rule:
>=20
> $cmd 03755 allow udp from any to any src-port 123 in via $pif6 $ks
>=20
> This seems wrong. Thoughts?

Yes, someone can perform a UDP scan of your network using source port
of 123.  That's generally not a huge risk, but that very much depends
on what is binding to UDP protocol on your network.

(Note that using a UDP source port of 53 for scans is very popular as =
well.)

I don't know whether UDP keepstate is broken for IPv6, but freebsd-ipfw =
folks
might have more info.

Also note that performing stateful filtering of DNS and UDP traffic can
be a bad idea because of DoS potential.  Consider something like this:

# allow DNS,NTP queries out in the world
add pass udp from MYNET HIPORTS to any 53,123
add pass udp from any 53,123 to MYNET HIPORTS
add pass udp from any 53,123 to any 53,123

# traceroute
add pass udp from any HIPORTS to any 33434-33523

# add any other expected UDP traffic here, ie:
# add pass udp from any 123,HIPORTS to MYNTPSERVER 123
# add pass udp from MYNTPSERVER 123 to any 123,HIPORTS

# and then log outgoing and block unexpected incoming UDP traffic
add pass log udp from MYNET to any
add unreach filter-prohib log udp from any to any

Regards,
--=20
-Chuck

PS: Yes, I think firewall_flags=3D"-p cpp" is a reasonable choice, but =
/bin/sh is just fine if you prefer that.  :-)=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86B10B8B-6A12-41AB-9C19-17F7E65CDBB4>