SixXS::Sunset 2017-06-06

ipv6 firewalling
[nl] Carmen Sandiego on Saturday, 21 February 2004 15:37:37
Hi, My (Linux 2.4.25 based) firewall rejects unwanted packets with an ICMPv6 packet (destination port unreachable). When I telnet from an external machine (xs6.xs4all.nl in this case) to this machine, I can see the ICMP packets going out in response to the TCP SYN packets (using ethereal). So far, so good. However, the client sends about 5 SYN-packets before giving up. It looks like the first 4 ICMP packets are not received or are ignored by the client. When I leave the port open in the firewall script, the kernel sends a TCP RST packet and the client immediately gives up. If I drop the SYN packets, the client times out (of course) but this takes a lot longer than in the first case and the message is also different (time out vs. connection refused). So I think that the client finally receives an ICMP dest.unreachable packet. What I don't get is why it takes 10 to 20 seconds before it gives up. What happens to the first 4 ICMP packets? Are they lost somewhere between the server and the client, does the client ignore them, something else? (BTW: not sure if the client always responds to the 5th packet, this may be different each time. But from what I've seen, it usually is the same.) Filtering doesn't seem to be the problem, because I can ping the client from the server (and vice versa) without packet loss. I found a few online IPv6 port scanners (nmap) and one of them think that my host is down and therefore refuse to perform a scan, while another does a complete scan and reports that all ports are closed (which is correct). If anyone would like to give it a try and see for yourself, the hostname is linux6.z74.net. If anyone can explain what happens to the ICMP dest. port unreachable packets, please let me know. Best regards, Maurice
ipv6 firewalling
[ch] Jeroen Massar SixXS Staff on Wednesday, 25 February 2004 20:36:23
You might want to show the packets, firewall rules, interface and routing tables involved as without those it is not doable to make a good evaluation of what is going on. It more looks though that it simply times out and that the icmp packets don't come back to the connecting host.
ipv6 firewalling
[nl] Carmen Sandiego on Wednesday, 25 February 2004 20:59:31
Basicly, the firewall rules look like this: $IP6TABLES -P INPUT DROP $IP6TABLES -P OUTPUT DROP $IP6TABLES -P FORWARD DROP <some rules for packets that I want to accept> $IP6TABLES -A INPUT -p tcp -j REJECT The routing table is rather long (it's a machine with 4 NIC's), so I trimmed it down a bit (I removed the fe80:: stuff and the routes for eth1,2,3). The tunnel (sit2) is a normal ipv6 tunnel over eth0. # route -A inet6 Kernel IPv6 routing table Destination Next Hop Flags Metric Ref Use Iface ::1/128 :: U 0 336 3 lo 2001:960:2:d4::/128 :: U 0 0 0 lo 2001:960:2:d4::2/128 :: U 0 37740 0 lo 2001:960:2:d4::/64 :: U 256 9485 1 sit2 2001:960:661::/128 :: U 0 0 0 lo 2001:960:661::1/128 :: U 0 7136 0 lo 2001:960:661::/64 :: U 256 0 0 eth0 2000::/3 :: U 1 0 0 sit2 # ifconfig sit2 sit2 Link encap:IPv6-in-IPv4 inet6 addr: fe80::c340:5dbe/64 Scope:Link inet6 addr: 2001:960:2:d4::2/64 Scope:Global inet6 addr: fe80::c0a8:301/64 Scope:Link inet6 addr: fe80::c0a8:2/64 Scope:Link inet6 addr: fe80::c0a8:201/64 Scope:Link inet6 addr: fe80::c0a8:102/64 Scope:Link UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1 RX packets:44946 errors:0 dropped:0 overruns:0 frame:0 TX packets:25566 errors:505 dropped:0 overruns:0 carrier:505 collisions:0 txqueuelen:0 RX bytes:14744310 (14.0 Mb) TX bytes:3215728 (3.0 Mb) Some of the packets (sorry for the long lines): 20:56:30.506692 213.204.193.2 > 195.64.93.190: 2001:888:0:1::666.1968 > 2001:960:661::1.telnet: S 3338684850:3338684850(0) win 57344 <mss[|tcp]> (encap) 20:56:30.506905 195.64.93.190 > 213.204.193.2: 2001:960:661::1 > 2001:888:0:1::666: [|icmp6] (encap) 20:56:33.509181 213.204.193.2 > 195.64.93.190: 2001:888:0:1::666.1968 > 2001:960:661::1.telnet: S 3338684850:3338684850(0) win 57344 <mss[|tcp]> (encap) 20:56:33.509381 195.64.93.190 > 213.204.193.2: 2001:960:661::1 > 2001:888:0:1::666: [|icmp6] (encap) 20:56:36.707098 213.204.193.2 > 195.64.93.190: 2001:888:0:1::666.1968 > 2001:960:661::1.telnet: S 3338684850:3338684850(0) win 57344 <mss[|tcp]> (encap) 20:56:36.707310 195.64.93.190 > 213.204.193.2: 2001:960:661::1 > 2001:888:0:1::666: [|icmp6] (encap) 20:56:39.909118 213.204.193.2 > 195.64.93.190: 2001:888:0:1::666.1968 > 2001:960:661::1.telnet: S 3338684850:3338684850(0) win 57344 <mss[|tcp]> (encap) 20:56:39.909312 195.64.93.190 > 213.204.193.2: 2001:960:661::1 > 2001:888:0:1::666: [|icmp6] (encap) 20:56:43.108636 213.204.193.2 > 195.64.93.190: 2001:888:0:1::666.1968 > 2001:960:661::1.telnet: S 3338684850:3338684850(0) win 57344 <mss[|tcp]> (encap) 20:56:43.108827 195.64.93.190 > 213.204.193.2: 2001:960:661::1 > 2001:888:0:1::666: [|icmp6] (encap)
ipv6 firewalling
[de] Shadow Hawkins on Wednesday, 25 February 2004 17:12:58
I think that this problem isn't IPv6 related, it's the same for IPv4. I don't know of any TCP stack that's using these ICMP messages, but I've no better solution than just dropping unwanted TCP packets. It takes 10 to 20 seconds before the connecting TCP stack times out. The situation might be a bit better for UDP, there were some OSs which return "connection refused" when receiving these ICMP packets (Solaris?)
ipv6 firewalling
[nl] Carmen Sandiego on Wednesday, 25 February 2004 20:31:20
I don't think it's a time out. This is the result when I simply drop the SYN packets. It times out in 1 minute 15 seconds: xs6 $ date; telnet linux6.z74.net; date Wed Feb 25 19:57:39 CET 2004 Trying 2001:960:661::1... telnet: connect to address 2001:960:661::1: Operation timed out telnet: Unable to connect to remote host Wed Feb 25 19:58:54 CET 2004 And this is the result when I send icmp destination unreachable packets in response to the SYN packets. Connection refused in 13 seconds. xs6 $ date; telnet linux6.z74.net; date Wed Feb 25 19:59:13 CET 2004 Trying 2001:960:661::1... telnet: connect to address 2001:960:661::1: Connection refused telnet: Unable to connect to remote host Wed Feb 25 19:59:26 CET 2004 I think 13 seconds is a bit short for a time out, and the error message from telnet is quite different in both cases. Besides, the "Connection refused" message appears right after the (5th, in this case) ICMP packet is sent from my system to xs6. Therefore I assume that telnet gives up after receiving this 5th ICMP packet. With regard to IPv4: sending an ICMP port unreachable is the default when rejecting packets with iptables under Linux. I don't know how other OSs handle this.
ipv6 firewalling
[ch] Jeroen Massar SixXS Staff on Wednesday, 25 February 2004 20:34:50
What does tcpdump -Xns 1500 show ?
ipv6 firewalling
[nl] Carmen Sandiego on Wednesday, 25 February 2004 21:05:21
This is the first SYN-packet + ICMP packet: 21:00:32.734146 213.204.193.2 > 195.64.93.190: 2001:888:0:1::666.2047 > 2001:960:661::1.telnet: S 1230572103:1230572103(0) win 57344 <mss 1440,nop,wscale 0,nop,nop,timestamp 58701981 0> (encap) 0x0000 4500 0064 2d62 0000 1b29 ba41 d5cc c102 E..d-b...).A.... 0x0010 c340 5dbe 6000 0000 0028 063c 2001 0888 .@].`....(.<.... 0x0020 0000 0001 0000 0000 0000 0666 2001 0960 ...........f...` 0x0030 0661 0000 0000 0000 0000 0001 07ff 0017 .a.............. 0x0040 4959 0a47 0000 0000 a002 e000 f495 0000 IY.G............ 0x0050 0204 05a0 0103 0300 0101 080a 037f b89d ................ 0x0060 0000 0000 .... 21:00:32.734352 195.64.93.190 > 213.204.193.2: 2001:960:661::1 > 2001:888:0:1::666: icmp6: 2001:960:661::1 tcp port telnet unreachable (encap) 0x0000 4500 0094 0000 4000 4029 8273 c340 5dbe E.....@.@).s.@]. 0x0010 d5cc c102 6000 0000 0058 3a40 2001 0960 ....`....X:@...` 0x0020 0661 0000 0000 0000 0000 0001 2001 0888 .a.............. 0x0030 0000 0001 0000 0000 0000 0666 0104 3980 ...........f..9. 0x0040 0000 0000 6000 0000 0028 063c 2001 0888 ....`....(.<.... 0x0050 0000 0001 0000 0000 0000 0666 2001 0960 ...........f...` 0x0060 0661 0000 0000 0000 0000 0001 07ff 0017 .a.............. 0x0070 4959 0a47 0000 0000 a002 e000 f495 0000 IY.G............ 0x0080 0204 05a0 0103 0300 0101 080a 037f b89d ................ 0x0090 0000 0000 .... and this is the last (5th) one: 21:00:45.327419 213.204.193.2 > 195.64.93.190: 2001:888:0:1::666.2047 > 2001:960:661::1.telnet: S 1230572103:1230572103(0) win 57344 <mss 1440> (encap) 0x0000 4500 0054 f90e 0000 1b29 eea4 d5cc c102 E..T.....)...... 0x0010 c340 5dbe 6000 0000 0018 063c 2001 0888 .@].`......<.... 0x0020 0000 0001 0000 0000 0000 0666 2001 0960 ...........f...` 0x0030 0661 0000 0000 0000 0000 0001 07ff 0017 .a.............. 0x0040 4959 0a47 0000 0000 6002 e000 fdd0 0000 IY.G....`....... 0x0050 0204 05a0 .... 21:00:45.327616 195.64.93.190 > 213.204.193.2: 2001:960:661::1 > 2001:888:0:1::666: icmp6: 2001:960:661::1 tcp port telnet unreachable (encap) 0x0000 4500 0084 0000 4000 4029 8283 c340 5dbe E.....@.@)...@]. 0x0010 d5cc c102 6000 0000 0048 3a40 2001 0960 ....`....H:@...` 0x0020 0661 0000 0000 0000 0000 0001 2001 0888 .a.............. 0x0030 0000 0001 0000 0000 0000 0666 0104 3990 ...........f..9. 0x0040 0000 0000 6000 0000 0018 063c 2001 0888 ....`......<.... 0x0050 0000 0001 0000 0000 0000 0666 2001 0960 ...........f...` 0x0060 0661 0000 0000 0000 0000 0001 07ff 0017 .a.............. 0x0070 4959 0a47 0000 0000 6002 e000 fdd0 0000 IY.G....`....... 0x0080 0204 05a0 ....
ipv6 firewalling
[de] Shadow Hawkins on Wednesday, 25 February 2004 21:50:32
Ok, you're right. But it really depends on your OS (or maybe application/libc). Using USAGI Linux 2.4.24 (using openssh 3.4) i directly get "Connection refused" with the first ICMP packet from your host. When I try the same with Windows XP and OpenSSH 3.7 it takes three ICMP packets.

Please note Posting is only allowed when you are logged in.
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker