Crossposted from stackoverflow
I am making an attempt to obtain a udp ipv6 packet on a MacBook (macOS Sonoma 14.6) on a residential web connection.
Disclaimer: I’m a networking noob and a lot of the work under is me making an attempt to be taught.
I am following Beej’s networking information to discover ways to ship packets utilizing the BSD sockets API. I am working listener.c on Mac and talker.c on a cloud occasion (aws ec2).
I do not wish to use port forwarding or NAT until completely needed. Ideally residential machines on ipv6 ought to have the ability to straight join peer-to-peer with out all that.
- talker is efficiently sending a single ipv6 udp packet from aws ec2 occasion, however listener on macOS is just not receiving them.
- The connection works the opposite means spherical, sending an ipv6 udp packet from MacBook to aws ec2 occasion works superb utilizing talker and listener. (After following the aws guides on configuring aws VPC, subnet, safety teams – aws manages firewalls, auto assigns ipv6 addresses for those who ask it, and many others. so no firewall or community configuration wanted on the field itself)
- I will ping the ipv6 tackle of the MacBook from the aws ec2 occasion, and obtain profitable response.
The main query right here is Apple doesn’t enable this (incoming ipv6 udp on MacBook), or whether or not Apple permits it however I am unable to work out tips on how to do it.
I have never examined it myself, however from the docs it does appear Home windows Firewall is so much simpler to configure.
My guess is that this has one thing to do with the macOS pf firewall. Mac has each Utility firewall and Packet firewall, I couldn’t discover docs for both of them.
I’ve tried recording utilizing tcpdump after which working talker. I’m not capable of finding any UDP packets on the required port, so I am assuming the packets are being filtered someplace in between. (Most probably on the packet firewall of the MacBook.)
I’ve tried utilizing a number of completely different web connections – each residential (fibre optic) and cell, to substantiate the issue is just not with a selected ISP’s firewall.
Utility Firewall
I’ve switched on Settings > Firewall, and switched on the Firewall. (I additionally tried with switched off, that did not work both)
I am unsure at a low-level precisely which firewalls this GUI switches on, there was a earlier stackoverflow reply that was additionally confused about this. (Sorry I am unable to discover the hyperlink proper now, will add as soon as I do.)
My present settings under. (I’ve additionally tried with different settings akin to disabling stealth mode)
I am assuming gcc-compiled binaries (gcc -o talker talker.c) are accepted for whitelisting by macOS on this setting web page, I’ve not made a .app file. The GUI did not cease me from selecting it.
Packet firewall
macOS appears to make use of pf from BSD to handle its firewall.
By default there are 6 traces in /and many others/pf.conf
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/and many others/pf.anchors/com.apple"
Of those solely 2 traces are packet filtering guidelines
Surprisingly commenting all 6 of those traces out appears to do principally nothing, atleast for outgoing connections. Nonetheless capable of browse web sites (http ipv4 and ipv6), ssh into cloud machines and many others.
For incoming connections, I’m able to ping the ipv6 tackle of the MacBook from aws ec2 occasion
(If there is a good check utilizing nmap for instance, please let me know. I want to discover out why these 6 traces appear to have no impact.)
If I add one thing like block all then ipv4 ipv6 outgoing does get blocked, displaying this /and many others/pf.conf file is just not being ignored utterly.
/and many others/pf.anchors/com.apple is just not accessible, so I have no idea what pf guidelines macOS makes use of by default.
Instructions I am utilizing to load new configs of my very own and examine whether or not the foundations have been truly loaded or not:
sudo pfctl -f /and many others/pf.conf
sudo pfctl -E
sudo pfctl -sa
Principally any customized guidelines I write are being efficiently loaded if I examine utilizing sudo pfctl -sa
A lot of completely different instructions I’ve tried that each one did not work:
move in inet6 proto udp to port 59999 no state
move in inet6 proto udp to port 59999 maintain state
move in proto udp to port 4950 maintain state
move in proto udp from any to any port 4950 no state
And so forth. I attempted with and with out maintain state, with and with out mentioning inet6, with and with out mentioning from and to, with and with out mentioning particular UDP ports. I am fairly assured my guidelines are getting loaded appropriately.
I’ve tried this each, whereas conserving the macOS pf guidelines as properly, and with out them.
Some posts on BSD discussion board for BSD counsel additionally establishing pf guidelines for different stuff like icmp:
https://boards.freebsd.org/threads/ipv6-not-working-with-pf.66772/
ping is efficiently working so I am unsure any of that is wanted. I did strive blindly copy-pasting a few of the guidelines with out absolutely understanding them, I couldn’t get this to work both.
Please let me know if pf guidelines for ipv6 additionally require pf guidelines different stuff like icmp, and if sure, if there is a ready-made minimal pf.conf I can discover for this.
Scanning the UDP ports of MacBook from the aws ec2 occasion utilizing nmap reveals ports as open|filtered which does not assist.
I’ll strive doing tcp packets as a substitute of udp, principal profit being atleast nmap will inform clearly if ports are open. I may also strive utilizing ipv4.
Please let me know if you would like me to run any particular exams.
