From owner-freebsd-questions@FreeBSD.ORG Mon Jun 15 22:23:42 2015 Return-Path: Delivered-To: freebsd-questions@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7C3E2B9B; Mon, 15 Jun 2015 22:23:42 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-yh0-x22d.google.com (mail-yh0-x22d.google.com [IPv6:2607:f8b0:4002:c01::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 391E1FF1; Mon, 15 Jun 2015 22:23:42 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by yhid80 with SMTP id d80so53007300yhi.1; Mon, 15 Jun 2015 15:23:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=ArRzCrMVcVDGw3+iuwQaSy9M40K4yVZI5nKy+4zQHnE=; b=DUX+r4F+7XHiq9ZrYQ1NZErpMMxVHRiW0escaxaS1wa3DV7uKCLkUIJOxRvo7P2sdA eE2A2kEmnIOeR1lEZYqR7D9IhvDMOsWeyInlw6HAfDeOevPd1T8Fu97rJ/rHoHC+ezjy 8v5/H/AU5YvuKYnPej/+Jl40VhxNJtKCVV3ZceRqTqgvh9CahogK8aHgHXVnRLfz1Z1q Kh4ZqDCjLL8xvRi65S84a7PG2FXyhcfyIvZUW6lcBxc4JrNYG0u7bLXzlYwYWhlLVoOO xVBWD82FcKW5btDuZlrgeb8Nwf+s384MsPUz9GUAaLVLicgIv5OrSfOLUnBl6Buq8+Mu ALJw== MIME-Version: 1.0 X-Received: by 10.170.114.199 with SMTP id g190mr37318895ykb.128.1434407021035; Mon, 15 Jun 2015 15:23:41 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.129.123.137 with HTTP; Mon, 15 Jun 2015 15:23:40 -0700 (PDT) In-Reply-To: <553873FD-ABD5-46C2-9542-CA5FC0146A71@vindaloo.com> References: <20150610211226.GA35372@kessel.vindaloo.com> <553873FD-ABD5-46C2-9542-CA5FC0146A71@vindaloo.com> Date: Mon, 15 Jun 2015 17:23:40 -0500 X-Google-Sender-Auth: 04VOas3EWH0L7nGoghrKXyBluOc Message-ID: Subject: Re: pf block policy for IPv6 and IPv4 From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= To: Christopher Hilton Cc: "freebsd-questions@freebsd.org." , freebsd-net Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jun 2015 22:23:42 -0000 On Mon, Jun 15, 2015 at 5:13 PM, Christopher Hilton wrote: > > On Jun 10, 2015, at 5:12 PM, Christopher Sean Hilton > wrote: > > > Good afternoon and thank you in advance. > > > > I'm running FreeBSD 9.3-STABLE: > > > > FreeBSD anza.example.com 9.3-STABLE \ > > FreeBSD 9.3-STABLE #0 r269627: Wed Aug 6 13:48:46 EDT 2014 \ > > root@dagobah:/usr/obj/amd64/usr/src/sys/GENERIC amd64 > > > > on my imap mailserver. It's dual homed and has both A and AAAA records > > in DNS: > > > > $ host anza.example.com > > anza.example.com has address 10.17.53.96 > > anza.example.com has IPv6 address fe80::aaaa:bbbb:60:0 > > > > > > My pf.conf seems to be pretty standard... > > > > ext_if="em0" > > int_if="em1" > > > > set skip on { lo $int_if } > > > > table persist const { em0:network } > > table persist file "/etc/pf/table/friends" > > > > table persist > > > > scrub in no-df > > > > ## Block inbound packets by default. Use return rather than drop > > ## to make debugging easier as this server is currently internal > > ## only. > > > > block return log > > block drop log quick from > > > > pass out > > > > antispoof quick for { lo $int_if } > > > > ## Pass ssh but treat jerks and a*holes accordingly. > > > > pass in on $ext_if proto tcp from to ($ext_if) port ssh \ > > keep state > > > > pass in on $ext_if proto tcp from ! to ($ext_if) port ssh \ > > keep state \ > > (max-src-conn 5, max-src-conn-rate 5/30, \ > > overload flush global) > > > > ... > > > > Last night as I was testing the configuration of the imap server, I > > tripped over some unexpected behaviour. *** The issue was that I had > > forgotten to add rules for imap to my pf.conf. Testing failed because > > the service was firewalled off. This was simple to fix and is only > > ancilliary to my question. *** > > > > Here's what I got when I used telnet to connect directly to the > > service across my network: > > > > $ telnet anza.example.com 143 > > Trying 10.17.53.96... > > telnet: connect to address 10.17.53.96: Connection refused > > Trying fe80::aaaa:bbbb:60:0... > > telnet: connect to address fe80::aaaa:bbbb:60:0: Operation timed out > > telnet: Unable to connect to remote host > > > > The IPv4 connection died immediatly with "Connection refused". That's > > consistent with my firewall rules which say to return a TCP RST for > > unopened services. However, I expected the IPv6 connection attempt to > > do the same thing and it didn't. To be clear, I expected: > > > > block return log > > > > To return a TCP RST across both IPv4 and IPv6 connect attempts to > > firewalled ports. > > > > If I'm missing something simple here please feel free to pass the > > cluebat. > > > > Thanks again > > > > -- Chris > > > > > > Changing "block return log" to "block return in log" fixes the problem but > I'm still confused about the difference in behavior between IPv6 and IPv4 > here. > Its just a parser of your configuration doing that. IIRC it even should be documented behaviour. > > -- Chris > > -- Ermal