From owner-freebsd-net@FreeBSD.ORG Mon Jun 15 22:13:37 2015 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C7714984; Mon, 15 Jun 2015 22:13:37 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from geonosis.vindaloo.com (geonosis.vindaloo.com [IPv6:2001:470:1f07:26b:0:ac18:9026:1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smtp.vindaloo.com", Issuer "Vindaloo CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7CC79DC7; Mon, 15 Jun 2015 22:13:37 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from kessel.vindaloo.com (kessel.vindaloo.com [172.24.145.71]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by geonosis.vindaloo.com (Postfix) with ESMTPSA id 6082DBFBC; Mon, 15 Jun 2015 18:13:35 -0400 (EDT) Subject: Re: pf block policy for IPv6 and IPv4 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Content-Type: multipart/signed; boundary="Apple-Mail=_FD43E0AD-A5A3-4CD6-8CB0-041A831C7F54"; protocol="application/pgp-signature"; micalg=pgp-sha256 X-Pgp-Agent: GPGMail 2.5 From: Christopher Hilton In-Reply-To: <20150610211226.GA35372@kessel.vindaloo.com> Date: Mon, 15 Jun 2015 18:13:32 -0400 Message-Id: <553873FD-ABD5-46C2-9542-CA5FC0146A71@vindaloo.com> References: <20150610211226.GA35372@kessel.vindaloo.com> To: freebsd-questions@freebsd.org, freebsd-net@freebsd.org X-Mailer: Apple Mail (2.1878.6) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jun 2015 22:13:37 -0000 --Apple-Mail=_FD43E0AD-A5A3-4CD6-8CB0-041A831C7F54 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Jun 10, 2015, at 5:12 PM, Christopher Sean Hilton = wrote: > Good afternoon and thank you in advance. >=20 > I'm running FreeBSD 9.3-STABLE: >=20 > FreeBSD anza.example.com 9.3-STABLE \ > FreeBSD 9.3-STABLE #0 r269627: Wed Aug 6 13:48:46 EDT 2014 \ > root@dagobah:/usr/obj/amd64/usr/src/sys/GENERIC amd64 >=20 > on my imap mailserver. It's dual homed and has both A and AAAA records > in DNS: >=20 > $ host anza.example.com > anza.example.com has address 10.17.53.96 > anza.example.com has IPv6 address fe80::aaaa:bbbb:60:0 >=20 >=20 > My pf.conf seems to be pretty standard... >=20 > ext_if=3D"em0" > int_if=3D"em1" >=20 > set skip on { lo $int_if } >=20 > table persist const { em0:network } > table persist file "/etc/pf/table/friends" >=20 > table persist >=20 > scrub in no-df >=20 > ## Block inbound packets by default. Use return rather than drop > ## to make debugging easier as this server is currently internal > ## only. >=20 > block return log > block drop log quick from >=20 > pass out >=20 > antispoof quick for { lo $int_if } >=20 > ## Pass ssh but treat jerks and a*holes accordingly. >=20 > pass in on $ext_if proto tcp from to ($ext_if) port ssh = \ > keep state >=20 > pass in on $ext_if proto tcp from ! to ($ext_if) port ssh = \ > keep state \ > (max-src-conn 5, max-src-conn-rate 5/30, \ > overload flush global) >=20 > ... >=20 > Last night as I was testing the configuration of the imap server, I > tripped over some unexpected behaviour. *** The issue was that I had > forgotten to add rules for imap to my pf.conf. Testing failed because > the service was firewalled off. This was simple to fix and is only > ancilliary to my question. *** >=20 > Here's what I got when I used telnet to connect directly to the > service across my network: >=20 > $ telnet anza.example.com 143 > Trying 10.17.53.96... > telnet: connect to address 10.17.53.96: Connection refused > Trying fe80::aaaa:bbbb:60:0... > telnet: connect to address fe80::aaaa:bbbb:60:0: Operation timed = out > telnet: Unable to connect to remote host >=20 > The IPv4 connection died immediatly with "Connection refused". That's > consistent with my firewall rules which say to return a TCP RST for > unopened services. However, I expected the IPv6 connection attempt to > do the same thing and it didn't. To be clear, I expected: >=20 > block return log >=20 > To return a TCP RST across both IPv4 and IPv6 connect attempts to > firewalled ports. >=20 > If I'm missing something simple here please feel free to pass the > cluebat. >=20 > Thanks again >=20 > -- Chris >=20 >=20 Changing "block return log" to "block return in log" fixes the problem = but I'm still confused about the difference in behavior between IPv6 and = IPv4 here. -- Chris --Apple-Mail=_FD43E0AD-A5A3-4CD6-8CB0-041A831C7F54 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVf04MAAoJEE2ar4QHIpj4G3oQAMpCMA3TGKhHVqexmg78v+v+ Dw+BBcNFnZIrn9fHR0ykt+LCfR/CcDb63pz+mIdkXdgQuAPL3vvpZ7njTkkuketQ Ygg+r1a100ut2uI22PnxrOQHiJdU0WT6MSRd3mgPIvMoQz7xVDPeR3itK6bTDZkT gbmtjZ3WVn1dInJ+TVfa6gYlc4RaaeBdDxzOhoADSNdmjqdMshqD1Ai5PB3HJcZK pvr+m427cmyXXZxRz4ws5qeJAqH0+oJZem4dFWEMWSBAbHIuwhoW/vjwr4+0sYeP CSwA3og/t9dQ2WdUeRubYMNaa7jlDE3Ce4q5AcT2zKcwPM/BFTC5B1njZ2uszM8q Cr07eZCXlZPOKG0KbUt3vjiAwCvT5D+vCgeLIZr1x7S/l71V0o6aF98x5JEYHqpn VtBF2yq7ohFonIH3ibZctW88qW4BCqwjsO4OQdLA/JG4fsMVoHsA06QKiz70JG3p 8OdoR2AWC0AB2dODr8ijZV4V73eEywM5f6Gy/jkUGbpyTickaHvxBHamf4Ors/4W KqkKRwnUaIl0PrJ9h2v4QkazfbtIGXo7g5Vbm+NTR0/Fv3CmFcjusdZiiB7/IPCl Z0X9NHX1bn3DZ4+CYAZV5QdPWJdh7sjNDR1yUZzNin5ENPj+fNGlrx54y1h9LSnD AWddMdMO8RWKsrH4s3MT =HimL -----END PGP SIGNATURE----- --Apple-Mail=_FD43E0AD-A5A3-4CD6-8CB0-041A831C7F54--