Date: Mon, 15 Jun 2015 17:23:40 -0500 From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= <eri@freebsd.org> To: Christopher Hilton <chris@vindaloo.com> Cc: "freebsd-questions@freebsd.org." <freebsd-questions@freebsd.org>, freebsd-net <freebsd-net@freebsd.org> Subject: Re: pf block policy for IPv6 and IPv4 Message-ID: <CAPBZQG0FREus9gAnLCHpuV7RwMSa%2BZLep-s2%2BoRWLgtXWW3zbw@mail.gmail.com> In-Reply-To: <553873FD-ABD5-46C2-9542-CA5FC0146A71@vindaloo.com> References: <20150610211226.GA35372@kessel.vindaloo.com> <553873FD-ABD5-46C2-9542-CA5FC0146A71@vindaloo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 15, 2015 at 5:13 PM, Christopher Hilton <chris@vindaloo.com>
wrote:
>
> On Jun 10, 2015, at 5:12 PM, Christopher Sean Hilton <chris@vindaloo.com>
> wrote:
>
> > Good afternoon and thank you in advance.
> >
> > I'm running FreeBSD 9.3-STABLE:
> >
> > FreeBSD anza.example.com 9.3-STABLE \
> > FreeBSD 9.3-STABLE #0 r269627: Wed Aug 6 13:48:46 EDT 2014 \
> > root@dagobah:/usr/obj/amd64/usr/src/sys/GENERIC amd64
> >
> > on my imap mailserver. It's dual homed and has both A and AAAA records
> > in DNS:
> >
> > $ host anza.example.com
> > anza.example.com has address 10.17.53.96
> > anza.example.com has IPv6 address fe80::aaaa:bbbb:60:0
> >
> >
> > My pf.conf seems to be pretty standard...
> >
> > ext_if="em0"
> > int_if="em1"
> >
> > set skip on { lo $int_if }
> >
> > table <my_network> persist const { em0:network }
> > table <friends> persist file "/etc/pf/table/friends"
> >
> > table <blackhole> persist
> >
> > scrub in no-df
> >
> > ## Block inbound packets by default. Use return rather than drop
> > ## to make debugging easier as this server is currently internal
> > ## only.
> >
> > block return log
> > block drop log quick from <blackhole>
> >
> > pass out
> >
> > antispoof quick for { lo $int_if }
> >
> > ## Pass ssh but treat jerks and a*holes accordingly.
> >
> > pass in on $ext_if proto tcp from <friends> to ($ext_if) port ssh \
> > keep state
> >
> > pass in on $ext_if proto tcp from !<friends> to ($ext_if) port ssh \
> > keep state \
> > (max-src-conn 5, max-src-conn-rate 5/30, \
> > overload <blackhole> flush global)
> >
> > ...
> >
> > Last night as I was testing the configuration of the imap server, I
> > tripped over some unexpected behaviour. *** The issue was that I had
> > forgotten to add rules for imap to my pf.conf. Testing failed because
> > the service was firewalled off. This was simple to fix and is only
> > ancilliary to my question. ***
> >
> > Here's what I got when I used telnet to connect directly to the
> > service across my network:
> >
> > $ telnet anza.example.com 143
> > Trying 10.17.53.96...
> > telnet: connect to address 10.17.53.96: Connection refused
> > Trying fe80::aaaa:bbbb:60:0...
> > telnet: connect to address fe80::aaaa:bbbb:60:0: Operation timed out
> > telnet: Unable to connect to remote host
> >
> > The IPv4 connection died immediatly with "Connection refused". That's
> > consistent with my firewall rules which say to return a TCP RST for
> > unopened services. However, I expected the IPv6 connection attempt to
> > do the same thing and it didn't. To be clear, I expected:
> >
> > block return log
> >
> > To return a TCP RST across both IPv4 and IPv6 connect attempts to
> > firewalled ports.
> >
> > If I'm missing something simple here please feel free to pass the
> > cluebat.
> >
> > Thanks again
> >
> > -- Chris
> >
> >
>
> Changing "block return log" to "block return in log" fixes the problem but
> I'm still confused about the difference in behavior between IPv6 and IPv4
> here.
>
Its just a parser of your configuration doing that.
IIRC it even should be documented behaviour.
>
> -- Chris
>
>
--
Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG0FREus9gAnLCHpuV7RwMSa%2BZLep-s2%2BoRWLgtXWW3zbw>