From owner-freebsd-questions@FreeBSD.ORG Wed Jun 10 21:12:37 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0201C111 for ; Wed, 10 Jun 2015 21:12:37 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from geonosis.vindaloo.com (geonosis.vindaloo.com [IPv6:2001:470:1f07:26b:0:ac18:9026:1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smtp.vindaloo.com", Issuer "Vindaloo CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C64A014B4 for ; Wed, 10 Jun 2015 21:12:33 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from kessel.vindaloo.com (kessel.vindaloo.com [172.24.145.71]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by geonosis.vindaloo.com (Postfix) with ESMTPSA id 997C2BFB5; Wed, 10 Jun 2015 17:12:31 -0400 (EDT) Date: Wed, 10 Jun 2015 17:12:26 -0400 From: Christopher Sean Hilton To: freebsd-questions@freebsd.org Cc: freebsd-misc@freebsd.org Subject: pf block policy for IPv6 and IPv4 Message-ID: <20150610211226.GA35372@kessel.vindaloo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jun 2015 21:12:37 -0000 Good afternoon and thank you in advance. I'm running FreeBSD 9.3-STABLE: FreeBSD anza.example.com 9.3-STABLE \ FreeBSD 9.3-STABLE #0 r269627: Wed Aug 6 13:48:46 EDT 2014 \ root@dagobah:/usr/obj/amd64/usr/src/sys/GENERIC amd64 on my imap mailserver. It's dual homed and has both A and AAAA records in DNS: $ host anza.example.com anza.example.com has address 10.17.53.96 anza.example.com has IPv6 address fe80::aaaa:bbbb:60:0 My pf.conf seems to be pretty standard... ext_if="em0" int_if="em1" set skip on { lo $int_if } table persist const { em0:network } table persist file "/etc/pf/table/friends" table persist scrub in no-df ## Block inbound packets by default. Use return rather than drop ## to make debugging easier as this server is currently internal ## only. block return log block drop log quick from pass out antispoof quick for { lo $int_if } ## Pass ssh but treat jerks and a*holes accordingly. pass in on $ext_if proto tcp from to ($ext_if) port ssh \ keep state pass in on $ext_if proto tcp from ! to ($ext_if) port ssh \ keep state \ (max-src-conn 5, max-src-conn-rate 5/30, \ overload flush global) ... Last night as I was testing the configuration of the imap server, I tripped over some unexpected behaviour. *** The issue was that I had forgotten to add rules for imap to my pf.conf. Testing failed because the service was firewalled off. This was simple to fix and is only ancilliary to my question. *** Here's what I got when I used telnet to connect directly to the service across my network: $ telnet anza.example.com 143 Trying 10.17.53.96... telnet: connect to address 10.17.53.96: Connection refused Trying fe80::aaaa:bbbb:60:0... telnet: connect to address fe80::aaaa:bbbb:60:0: Operation timed out telnet: Unable to connect to remote host The IPv4 connection died immediatly with "Connection refused". That's consistent with my firewall rules which say to return a TCP RST for unopened services. However, I expected the IPv6 connection attempt to do the same thing and it didn't. To be clear, I expected: block return log To return a TCP RST across both IPv4 and IPv6 connect attempts to firewalled ports. If I'm missing something simple here please feel free to pass the cluebat. Thanks again -- Chris