pf block policy for IPv6 and IPv4
chris at vindaloo.com
Wed Jun 17 01:29:43 UTC 2015
On Jun 15, 2015, at 6:23 PM, Ermal Luçi <eri at freebsd.org> wrote:
> On Mon, Jun 15, 2015 at 5:13 PM, Christopher Hilton <chris at vindaloo.com> wrote:
> On Jun 10, 2015, at 5:12 PM, Christopher Sean Hilton <chris at vindaloo.com> wrote:
> > Good afternoon and thank you in advance.
> > The IPv4 connection died immediatly with "Connection refused". That's
> > consistent with my firewall rules which say to return a TCP RST for
> > unopened services. However, I expected the IPv6 connection attempt to
> > do the same thing and it didn't. To be clear, I expected:
> > block return log
> > To return a TCP RST across both IPv4 and IPv6 connect attempts to
> > firewalled ports.
> > If I'm missing something simple here please feel free to pass the
> > cluebat.
> > Thanks again
> > -- Chris
> Changing "block return log" to "block return in log" fixes the problem but I'm still confused about the difference in behavior between IPv6 and IPv4 here.
> Its just a parser of your configuration doing that.
> IIRC it even should be documented behaviour.
So I should expect block return to treat TCP under IPv4 differently than TCP under IPv6? If that's the case I much prefer the more consistent behavior I see out of the OpenBSD 5.7 box with pf I just put up. On that box, "block return" means send a RST packet under either IPv4 or IPv6.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the freebsd-net