Date: Mon, 15 Jun 2015 18:13:32 -0400 From: Christopher Hilton <chris@vindaloo.com> To: freebsd-questions@freebsd.org, freebsd-net@freebsd.org Subject: Re: pf block policy for IPv6 and IPv4 Message-ID: <553873FD-ABD5-46C2-9542-CA5FC0146A71@vindaloo.com> In-Reply-To: <20150610211226.GA35372@kessel.vindaloo.com> References: <20150610211226.GA35372@kessel.vindaloo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_FD43E0AD-A5A3-4CD6-8CB0-041A831C7F54
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On Jun 10, 2015, at 5:12 PM, Christopher Sean Hilton =
<chris@vindaloo.com> wrote:
> Good afternoon and thank you in advance.
>=20
> I'm running FreeBSD 9.3-STABLE:
>=20
> FreeBSD anza.example.com 9.3-STABLE \
> FreeBSD 9.3-STABLE #0 r269627: Wed Aug 6 13:48:46 EDT 2014 \
> root@dagobah:/usr/obj/amd64/usr/src/sys/GENERIC amd64
>=20
> on my imap mailserver. It's dual homed and has both A and AAAA records
> in DNS:
>=20
> $ host anza.example.com
> anza.example.com has address 10.17.53.96
> anza.example.com has IPv6 address fe80::aaaa:bbbb:60:0
>=20
>=20
> My pf.conf seems to be pretty standard...
>=20
> ext_if=3D"em0"
> int_if=3D"em1"
>=20
> set skip on { lo $int_if }
>=20
> table <my_network> persist const { em0:network }
> table <friends> persist file "/etc/pf/table/friends"
>=20
> table <blackhole> persist
>=20
> scrub in no-df
>=20
> ## Block inbound packets by default. Use return rather than drop
> ## to make debugging easier as this server is currently internal
> ## only.
>=20
> block return log
> block drop log quick from <blackhole>
>=20
> pass out
>=20
> antispoof quick for { lo $int_if }
>=20
> ## Pass ssh but treat jerks and a*holes accordingly.
>=20
> pass in on $ext_if proto tcp from <friends> to ($ext_if) port ssh =
\
> keep state
>=20
> pass in on $ext_if proto tcp from !<friends> to ($ext_if) port ssh =
\
> keep state \
> (max-src-conn 5, max-src-conn-rate 5/30, \
> overload <blackhole> flush global)
>=20
> ...
>=20
> Last night as I was testing the configuration of the imap server, I
> tripped over some unexpected behaviour. *** The issue was that I had
> forgotten to add rules for imap to my pf.conf. Testing failed because
> the service was firewalled off. This was simple to fix and is only
> ancilliary to my question. ***
>=20
> Here's what I got when I used telnet to connect directly to the
> service across my network:
>=20
> $ telnet anza.example.com 143
> Trying 10.17.53.96...
> telnet: connect to address 10.17.53.96: Connection refused
> Trying fe80::aaaa:bbbb:60:0...
> telnet: connect to address fe80::aaaa:bbbb:60:0: Operation timed =
out
> telnet: Unable to connect to remote host
>=20
> The IPv4 connection died immediatly with "Connection refused". That's
> consistent with my firewall rules which say to return a TCP RST for
> unopened services. However, I expected the IPv6 connection attempt to
> do the same thing and it didn't. To be clear, I expected:
>=20
> block return log
>=20
> To return a TCP RST across both IPv4 and IPv6 connect attempts to
> firewalled ports.
>=20
> If I'm missing something simple here please feel free to pass the
> cluebat.
>=20
> Thanks again
>=20
> -- Chris
>=20
>=20
Changing "block return log" to "block return in log" fixes the problem =
but I'm still confused about the difference in behavior between IPv6 and =
IPv4 here.
-- Chris
--Apple-Mail=_FD43E0AD-A5A3-4CD6-8CB0-041A831C7F54
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVf04MAAoJEE2ar4QHIpj4G3oQAMpCMA3TGKhHVqexmg78v+v+
Dw+BBcNFnZIrn9fHR0ykt+LCfR/CcDb63pz+mIdkXdgQuAPL3vvpZ7njTkkuketQ
Ygg+r1a100ut2uI22PnxrOQHiJdU0WT6MSRd3mgPIvMoQz7xVDPeR3itK6bTDZkT
gbmtjZ3WVn1dInJ+TVfa6gYlc4RaaeBdDxzOhoADSNdmjqdMshqD1Ai5PB3HJcZK
pvr+m427cmyXXZxRz4ws5qeJAqH0+oJZem4dFWEMWSBAbHIuwhoW/vjwr4+0sYeP
CSwA3og/t9dQ2WdUeRubYMNaa7jlDE3Ce4q5AcT2zKcwPM/BFTC5B1njZ2uszM8q
Cr07eZCXlZPOKG0KbUt3vjiAwCvT5D+vCgeLIZr1x7S/l71V0o6aF98x5JEYHqpn
VtBF2yq7ohFonIH3ibZctW88qW4BCqwjsO4OQdLA/JG4fsMVoHsA06QKiz70JG3p
8OdoR2AWC0AB2dODr8ijZV4V73eEywM5f6Gy/jkUGbpyTickaHvxBHamf4Ors/4W
KqkKRwnUaIl0PrJ9h2v4QkazfbtIGXo7g5Vbm+NTR0/Fv3CmFcjusdZiiB7/IPCl
Z0X9NHX1bn3DZ4+CYAZV5QdPWJdh7sjNDR1yUZzNin5ENPj+fNGlrx54y1h9LSnD
AWddMdMO8RWKsrH4s3MT
=HimL
-----END PGP SIGNATURE-----
--Apple-Mail=_FD43E0AD-A5A3-4CD6-8CB0-041A831C7F54--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?553873FD-ABD5-46C2-9542-CA5FC0146A71>