Hi, I added a few rules to my firewall to prevent spoofing source IP addresses. I encountered some (to me) unexpected behaviour where IPv6 traffic originating at the host would match an ipfw rule with "in" and "recv <interface>" set.
I very much appreciate it if someone could replicate the following behaviour, and report the results. 1. Add a firewall rule: "count log ipv6 from me to me not recv lo0" 2. On the host, ping6 to one of it's IP addresses. Here is the result for me: 2001:610:767:4ec1::1 is an IPv6 address of my host. So I would expect that pinging the IP from host itself would use the loopback interface. route get confirms this: % route get -inet6 2001:610:767:4ec1::1 route to: 2001:610:767:4ec1::1 destination: 2001:610:767:4ec1::1 interface: lo0 flags: <UP,HOST,DONE,STATIC> recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 16384 1 0 However, ipfw thinks the traffic is received through another interface: % ipfw add 1200 count log ipv6 from me to me not recv lo0 % ipfw add 1201 count log ipv6 from me to me out not recv lo0 % ipfw add 1202 count log ipv6 from me to me in not recv lo0 % ping6 -c 1 2001:610:767:4ec1::1 > ipfw: 1200 Count ICMPv6:128.0 [2001:610:767:4ec1::1] [2001:610:767:4ec1::1] > in via em3 > ipfw: 1202 Count ICMPv6:128.0 [2001:610:767:4ec1::1] [2001:610:767:4ec1::1] > in via em3 To add to the confusion, if I would ping the host from an external machine, the return traffic (ICMPv6:129 is the echo reply) would match a "recv" interface as well, even though the ICMP packet originated from the local machine: % ipfw add 1790 $actfake ipv6 from 2001:610:767::0/48 to any recv tun0 > ipfw: 1790 Deny ICMPv6:129.0 [2001:610:767:4ec1::1] > [2001:610:108:2003:9159:9f48:e2c8:196a] out via tun0 IPv4 traffic behaves as I expect (traffic from me to me uses the loopback interface; outgoing ICMP does not match a "recv" rule.) I did not expect this result. 1. Could you replicate this behaviour? 2. Is this intended behaviour? 3. Is this a property of ipfw or the kernel? (e.g. should I report this here or on freebsd-net?) Thanks, Freek _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"