On Tue, Dec 1, 2015, at 12:08, Gary Palmer wrote: > > Have you looked at the ipfw state tables to see if a state is recorded? > > ipfw -d list > > I think >
Yes, and I can see the state especially for IPv6. I think I have solved this mystery. There was a problem, and I solved it, but then was fooled into thinking a problem persisted. * keep-state was missing for some outbound IPv6 traffic * IPv6 outbound NTP from my firewall was not using high ports, nor was IPv4 * A host behind my firewall was found to be running ntpd and ntimed. ntpd was pointed at the same pool as my firewall and I happened to see some high-port traffic to the same servers I was associated with. * This host behind my firewall also has an almost identical IPv6 address with one octet being a single digit off (1f11 vs 1f10) as well as shares the same outbound IPv4 address ... * There was an issue with an IPv6 NTP server or I misread the NTP output (it was stuck in STEP and seemed to go away when I added an IPFW rule) * The combination of these coincidences caused confusion and fooled me into thinking the source was the firewall. I'm now confident the keep-state works for IPv6 gif interfaces in IPFW as I can see the states and am now guilty of wasting your time and INBOX space. :) At least I was able to find two problems and solve them. Thanks, IPFW logging! -- Mark Felder ports-secteam member f...@freebsd.org _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
