Date: Tue, 16 Jun 2015 21:29:37 -0400 From: Christopher Hilton <chris@vindaloo.com> To: =?iso-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> Cc: "freebsd-questions@freebsd.org." <freebsd-questions@freebsd.org>, freebsd-net <freebsd-net@freebsd.org> Subject: Re: pf block policy for IPv6 and IPv4 Message-ID: <042EA756-79E8-40C5-836D-711B3E7DEED8@vindaloo.com> In-Reply-To: <CAPBZQG0FREus9gAnLCHpuV7RwMSa%2BZLep-s2%2BoRWLgtXWW3zbw@mail.gmail.com> References: <20150610211226.GA35372@kessel.vindaloo.com> <553873FD-ABD5-46C2-9542-CA5FC0146A71@vindaloo.com> <CAPBZQG0FREus9gAnLCHpuV7RwMSa%2BZLep-s2%2BoRWLgtXWW3zbw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_B0247221-0F05-4E32-B5CF-8C9FF74CB75C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 On Jun 15, 2015, at 6:23 PM, Ermal Lu=E7i <eri@freebsd.org> wrote: >=20 >=20 > On Mon, Jun 15, 2015 at 5:13 PM, Christopher Hilton = <chris@vindaloo.com> wrote: >=20 > On Jun 10, 2015, at 5:12 PM, Christopher Sean Hilton = <chris@vindaloo.com> wrote: >=20 > > Good afternoon and thank you in advance. > > >=20 [snip] > > The IPv4 connection died immediatly with "Connection refused". = That's > > consistent with my firewall rules which say to return a TCP RST for > > unopened services. However, I expected the IPv6 connection attempt = to > > do the same thing and it didn't. To be clear, I expected: > > > > block return log > > > > To return a TCP RST across both IPv4 and IPv6 connect attempts to > > firewalled ports. > > > > If I'm missing something simple here please feel free to pass the > > cluebat. > > > > Thanks again > > > > -- Chris > > > > >=20 > Changing "block return log" to "block return in log" fixes the problem = but I'm still confused about the difference in behavior between IPv6 and = IPv4 here. >=20 > Its just a parser of your configuration doing that. > IIRC it even should be documented behaviour. >=20 So I should expect block return to treat TCP under IPv4 differently than = TCP under IPv6? If that's the case I much prefer the more consistent = behavior I see out of the OpenBSD 5.7 box with pf I just put up. On that = box, "block return" means send a RST packet under either IPv4 or IPv6. -- Chris --Apple-Mail=_B0247221-0F05-4E32-B5CF-8C9FF74CB75C Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVgM2CAAoJEE2ar4QHIpj4B0MQAKjut8wJceBBS5tUMv6PrB2O EjXDyWPHBBzC9c//QghaVN5braBpRFkWFRrYh6lNfpvS41NoYIH77QEr4C9RhaRG 7ZHQVUfaiXKxPs2HITt7R9AUlXzqBB2JKwmDMRtVMfcqXTCxm1W3+mbWX+ER/u8O A79+Wu/OlWSPGZfitbvMIsRn2g8kPIjRzggG9RhHPY74YhQ2x667IUYG2IhmnrkS TQ/EBhhiZQmjNIzy1lX6R0xu/ek7bAnvxY8g37H/q5ELLKNyCKAkEPpF6FW1wlKf ZuELfbKP8tobpUm1Iw9G7dZX5MTX/1uiLA1n650YJ73qm71dTBSQ39SBzZPyAUu6 9mixCQTZbPSey7MNLrVjY1NCBsL7xsRr2T12S7Hn3ytKjCnIpUwaC6G7GjyDu4GA LYm/gvbo/hQldGdLpK69/PUn/WCZwD7UM7KTTxpm8VWZtYzzOGcCdsN4Dudql95J MrTBeSMNVcjUJ9f7waqNYs8T8pxX2BOtZ4GFAqoIY38HgA6//3tWJ2gcDPBtaop4 Qt7QsyyDRP2Yw9URuLv8BniFCyPzrfv9atjWx7MIdNBv5TjDWmgji1qO5o5NnfqD Oeghu1vu8qPjKBvdB1LCW9y81r8CRUywXOXqUZHMSDtSNVuVk1o4GEz4Gw7VxARk 8bw1eUqmtXGewsPo5yVj =WteI -----END PGP SIGNATURE----- --Apple-Mail=_B0247221-0F05-4E32-B5CF-8C9FF74CB75C--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?042EA756-79E8-40C5-836D-711B3E7DEED8>