Hi, Mark. > I'm hoping someone can explain what happened here and this isn't a bug, > but if it is a bug I'll gladly open a PR. > > I noticed in my ipfw logs that I was getting a log of "DENY" entries for > an NTP server > > Nov 30 13:35:16 gw kernel: ipfw: 4540 Deny UDP > [2604:a880:800:10::bc:c004]:123 [2001:470:1f11:1e8::2]:58285 in via gif0 > > Strange... I looked at ntpq output and sure enough I was trying to > communicate with that server. But why was it getting blocked? I don't > have a rule to allow IPv4 input from source port 123. I expected IPFW to > handle this for me. I know UDP is stateless, but firewalls are usually > able to "keep state" for UDP. I looked at my v4 rules which and I have > keep-state on there: > > # Allow all outgoing, skip to NAT > ###################################### > $cmd 01300 skipto 5000 tcp from any to any out via $pif $ks > $cmd 01310 skipto 5000 udp from any to any out via $pif $ks > $cmd 01320 skipto 5000 icmp from any to any out via $pif > ###################################### > > I noticed my outbound IPv6 didn't have $ks for udp, so I added it. > However, that had no effect. The solution was to add an incoming rule: > > $cmd 03755 allow udp from any to any src-port 123 in via $pif6 $ks > > This seems wrong. Thoughts? >
What is your 5000 rule? In general on public interface you should: $cmd 12345 allow log all from any to me 123 $ks And for outgoing traffic just: $cmd 1234 allow log all from me to any $ks This works for me. -- Cheers, Vitaliy _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
