pf block policy for IPv6 and IPv4

Christopher Hilton chris at vindaloo.com
Mon Jun 15 22:13:37 UTC 2015 

On Jun 10, 2015, at 5:12 PM, Christopher Sean Hilton <chris at vindaloo.com> wrote:

> Good afternoon and thank you in advance.
> 
> I'm running FreeBSD 9.3-STABLE:
> 
>     FreeBSD anza.example.com 9.3-STABLE \
>     FreeBSD 9.3-STABLE #0 r269627: Wed Aug  6 13:48:46 EDT 2014 \
>     root at dagobah:/usr/obj/amd64/usr/src/sys/GENERIC  amd64
> 
> on my imap mailserver. It's dual homed and has both A and AAAA records
> in DNS:
> 
>     $ host anza.example.com
>     anza.example.com has address 10.17.53.96
>     anza.example.com has IPv6 address fe80::aaaa:bbbb:60:0
> 
> 
> My pf.conf seems to be pretty standard...
> 
>     ext_if="em0"
>     int_if="em1"
> 
>     set skip on { lo $int_if }
> 
>     table <my_network> persist const { em0:network }
>     table <friends> persist file "/etc/pf/table/friends"
> 
>     table <blackhole> persist
> 
>     scrub in no-df
> 
>     ## Block inbound packets by default. Use return rather than drop
>     ## to make debugging easier as this server is currently internal
>     ## only.
> 
>     block return log
>     block drop log quick from <blackhole>
> 
>     pass out
> 
>     antispoof quick for { lo $int_if }
> 
>     ## Pass ssh but treat jerks and a*holes accordingly.
> 
>     pass in on $ext_if proto tcp from <friends> to ($ext_if) port ssh \
>             keep state
> 
>     pass in on $ext_if proto tcp from !<friends> to ($ext_if) port ssh \
>             keep state \
>             (max-src-conn 5, max-src-conn-rate 5/30, \
>             overload <blackhole> flush global)
> 
>     ...
> 
> Last night as I was testing the configuration of the imap server, I
> tripped over some unexpected behaviour. *** The issue was that I had
> forgotten to add rules for imap to my pf.conf. Testing failed because
> the service was firewalled off. This was simple to fix and is only
> ancilliary to my question. ***
> 
> Here's what I got when I used telnet to connect directly to the
> service across my network:
> 
>     $ telnet anza.example.com 143
>     Trying 10.17.53.96...
>     telnet: connect to address 10.17.53.96: Connection refused
>     Trying fe80::aaaa:bbbb:60:0...
>     telnet: connect to address fe80::aaaa:bbbb:60:0: Operation timed out
>     telnet: Unable to connect to remote host
> 
> The IPv4 connection died immediatly with "Connection refused". That's
> consistent with my firewall rules which say to return a TCP RST for
> unopened services. However, I expected the IPv6 connection attempt to
> do the same thing and it didn't. To be clear, I expected:
> 
>     block return log
> 
> To return a TCP RST across both IPv4 and IPv6 connect attempts to
> firewalled ports.
> 
> If I'm missing something simple here please feel free to pass the
> cluebat.
> 
> Thanks again
> 
> -- Chris
> 
> 

Changing "block return log" to "block return in log" fixes the problem but I'm still confused about the difference in behavior between IPv6 and IPv4 here.

-- Chris

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20150615/aa16a554/attachment.sig>

More information about the freebsd-net mailing list