pf block policy for IPv6 and IPv4
Christopher Sean Hilton
chris at vindaloo.com
Wed Jun 10 21:12:37 UTC 2015
Good afternoon and thank you in advance.
I'm running FreeBSD 9.3-STABLE:
FreeBSD anza.example.com 9.3-STABLE \
FreeBSD 9.3-STABLE #0 r269627: Wed Aug 6 13:48:46 EDT 2014 \
root at dagobah:/usr/obj/amd64/usr/src/sys/GENERIC amd64
on my imap mailserver. It's dual homed and has both A and AAAA records
in DNS:
$ host anza.example.com
anza.example.com has address 10.17.53.96
anza.example.com has IPv6 address fe80::aaaa:bbbb:60:0
My pf.conf seems to be pretty standard...
ext_if="em0"
int_if="em1"
set skip on { lo $int_if }
table <my_network> persist const { em0:network }
table <friends> persist file "/etc/pf/table/friends"
table <blackhole> persist
scrub in no-df
## Block inbound packets by default. Use return rather than drop
## to make debugging easier as this server is currently internal
## only.
block return log
block drop log quick from <blackhole>
pass out
antispoof quick for { lo $int_if }
## Pass ssh but treat jerks and a*holes accordingly.
pass in on $ext_if proto tcp from <friends> to ($ext_if) port ssh \
keep state
pass in on $ext_if proto tcp from !<friends> to ($ext_if) port ssh \
keep state \
(max-src-conn 5, max-src-conn-rate 5/30, \
overload <blackhole> flush global)
...
Last night as I was testing the configuration of the imap server, I
tripped over some unexpected behaviour. *** The issue was that I had
forgotten to add rules for imap to my pf.conf. Testing failed because
the service was firewalled off. This was simple to fix and is only
ancilliary to my question. ***
Here's what I got when I used telnet to connect directly to the
service across my network:
$ telnet anza.example.com 143
Trying 10.17.53.96...
telnet: connect to address 10.17.53.96: Connection refused
Trying fe80::aaaa:bbbb:60:0...
telnet: connect to address fe80::aaaa:bbbb:60:0: Operation timed out
telnet: Unable to connect to remote host
The IPv4 connection died immediatly with "Connection refused". That's
consistent with my firewall rules which say to return a TCP RST for
unopened services. However, I expected the IPv6 connection attempt to
do the same thing and it didn't. To be clear, I expected:
block return log
To return a TCP RST across both IPv4 and IPv6 connect attempts to
firewalled ports.
If I'm missing something simple here please feel free to pass the
cluebat.
Thanks again
-- Chris
More information about the freebsd-questions
mailing list