pf block policy for IPv6 and IPv4

Christopher Hilton chris at vindaloo.com
Wed Jun 17 01:29:43 UTC 2015


On Jun 15, 2015, at 6:23 PM, Ermal Luçi <eri at freebsd.org> wrote:

> 
> 
> On Mon, Jun 15, 2015 at 5:13 PM, Christopher Hilton <chris at vindaloo.com> wrote:
> 
> On Jun 10, 2015, at 5:12 PM, Christopher Sean Hilton <chris at vindaloo.com> wrote:
> 
> > Good afternoon and thank you in advance.
> >
> 

[snip]

> > The IPv4 connection died immediatly with "Connection refused". That's
> > consistent with my firewall rules which say to return a TCP RST for
> > unopened services. However, I expected the IPv6 connection attempt to
> > do the same thing and it didn't. To be clear, I expected:
> >
> >     block return log
> >
> > To return a TCP RST across both IPv4 and IPv6 connect attempts to
> > firewalled ports.
> >
> > If I'm missing something simple here please feel free to pass the
> > cluebat.
> >
> > Thanks again
> >
> > -- Chris
> >
> >
> 
> Changing "block return log" to "block return in log" fixes the problem but I'm still confused about the difference in behavior between IPv6 and IPv4 here.
> 
> Its just a parser of your configuration doing that.
> IIRC it even should be documented behaviour.
> 

So I should expect block return to treat TCP under IPv4 differently than TCP under IPv6? If that's the case I much prefer the more consistent behavior I see out of the OpenBSD 5.7 box with pf I just put up. On that box, "block return" means send a RST packet under either IPv4 or IPv6.

-- Chris

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20150616/59852a51/attachment.sig>


More information about the freebsd-net mailing list