Crossposted from stackoverflow
I am making an attempt to obtain a udp ipv6 packet on a MacBook (macOS Sonoma 14.6) on a residential web connection.
Disclaimer: I’m a networking noob and a lot of the work under is me making an attempt to be taught.
I am following Beej’s networking information to learn to ship packets utilizing the BSD sockets API. I am operating listener.c on Mac and talker.c on a cloud occasion (aws ec2).
I do not need to use port forwarding or NAT except completely essential. Ideally residential machines on ipv6 ought to have the ability to immediately join peer-to-peer with out all that.
- talker is efficiently sending a single ipv6 udp packet from aws ec2 occasion, however listener on macOS is just not receiving them.
- The connection works the opposite means spherical, sending an ipv6 udp packet from MacBook to aws ec2 occasion works superb utilizing talker and listener. (After following the aws guides on configuring aws VPC, subnet, safety teams – aws manages firewalls, auto assigns ipv6 addresses in case you ask it, and many others. so no firewall or community configuration wanted on the field itself)
- I can ping the ipv6 tackle of the MacBook from the aws ec2 occasion, and obtain profitable response.
The major query right here is Apple doesn’t permit this (incoming ipv6 udp on MacBook), or whether or not Apple permits it however I can not determine the right way to do it.
I have not examined it myself, however from the docs it does appear Home windows Firewall is rather a lot simpler to configure.
My guess is that this has one thing to do with the macOS pf firewall. Mac has each Utility firewall and Packet firewall, I couldn’t discover docs for both of them.
I’ve tried recording utilizing tcpdump after which operating talker. I’m not capable of finding any UDP packets on the required port, so I am assuming the packets are being filtered someplace in between. (More than likely on the packet firewall of the MacBook.)
I’ve tried utilizing a number of completely different web connections – each residential (fibre optic) and cellular, to verify the issue is just not with a selected ISP’s firewall.
Utility Firewall
I’ve switched on Settings > Firewall, and switched on the Firewall. (I additionally tried with switched off, that did not work both)
I am undecided at a low-level precisely which firewalls this GUI switches on, there was a earlier stackoverflow reply that was additionally confused about this. (Sorry I can not discover the hyperlink proper now, will add as soon as I do.)
My present settings under. (I’ve additionally tried with different settings corresponding to disabling stealth mode)
I am assuming gcc-compiled binaries (gcc -o talker talker.c) are accepted for whitelisting by macOS on this setting web page, I’ve not made a .app file. The GUI did not cease me from choosing it.
Packet firewall
macOS appears to make use of pf from BSD to handle its firewall.
By default there are 6 traces in /and many others/pf.conf
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/and many others/pf.anchors/com.apple"
Of those solely 2 traces are packet filtering guidelines
Surprisingly commenting all 6 of those traces out appears to do principally nothing, atleast for outgoing connections. Nonetheless capable of browse web sites (http ipv4 and ipv6), ssh into cloud machines and many others.
For incoming connections, I’m able to ping the ipv6 tackle of the MacBook from aws ec2 occasion
(If there is a good check utilizing nmap for instance, please let me know. I want to discover out why these 6 traces appear to have no impact.)
If I add one thing like block all then ipv4 ipv6 outgoing does get blocked, exhibiting this /and many others/pf.conf file is just not being ignored fully.
/and many others/pf.anchors/com.apple is just not accessible, so I have no idea what pf guidelines macOS makes use of by default.
Instructions I am utilizing to load new configs of my very own and examine whether or not the foundations had been really loaded or not:
sudo pfctl -f /and many others/pf.conf
sudo pfctl -E
sudo pfctl -sa
Principally any customized guidelines I write are being efficiently loaded if I examine utilizing sudo pfctl -sa
A number of completely different instructions I’ve tried that each one did not work:
cross in inet6 proto udp to port 59999 no state
cross in inet6 proto udp to port 59999 maintain state
cross in proto udp to port 4950 maintain state
cross in proto udp from any to any port 4950 no state
And so forth. I attempted with and with out maintain state, with and with out mentioning inet6, with and with out mentioning from and to, with and with out mentioning particular UDP ports. I am fairly assured my guidelines are getting loaded accurately.
I’ve tried this each, whereas preserving the macOS pf guidelines as properly, and with out them.
Some posts on BSD discussion board for BSD recommend additionally establishing pf guidelines for different stuff like icmp:
https://boards.freebsd.org/threads/ipv6-not-working-with-pf.66772/
ping is efficiently working so I am undecided any of that is wanted. I did strive blindly copy-pasting among the guidelines with out absolutely understanding them, I couldn’t get this to work both.
Please let me know if pf guidelines for ipv6 additionally require pf guidelines different stuff like icmp, and if sure, if there is a ready-made minimal pf.conf I can discover for this.
Scanning the UDP ports of MacBook from the aws ec2 occasion utilizing nmap reveals ports as open|filtered which does not assist.
I’ll strive doing tcp packets as an alternative of udp, fundamental profit being atleast nmap will inform clearly if ports are open. I may even strive utilizing ipv4.
Please let me know if you would like me to run any particular checks.