From owner-freebsd-net@FreeBSD.ORG  Wed Jun 17 01:29:43 2015
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 4D8B6304;
 Wed, 17 Jun 2015 01:29:43 +0000 (UTC)
 (envelope-from chris@vindaloo.com)
Received: from geonosis.vindaloo.com (geonosis.vindaloo.com
 [IPv6:2001:470:1f07:26b:0:ac18:9026:1])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client CN "smtp.vindaloo.com", Issuer "Vindaloo CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 1DE4CF9C;
 Wed, 17 Jun 2015 01:29:41 +0000 (UTC)
 (envelope-from chris@vindaloo.com)
Received: from kessel.vindaloo.com (kessel.vindaloo.com [172.24.145.71])
 (using TLSv1 with cipher AES128-SHA (128/128 bits))
 (No client certificate requested)
 by geonosis.vindaloo.com (Postfix) with ESMTPSA id 8AECEBFBD;
 Tue, 16 Jun 2015 21:29:39 -0400 (EDT)
Subject: Re: pf block policy for IPv6 and IPv4
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: multipart/signed;
 boundary="Apple-Mail=_B0247221-0F05-4E32-B5CF-8C9FF74CB75C";
 protocol="application/pgp-signature"; micalg=pgp-sha256
X-Pgp-Agent: GPGMail 2.5
From: Christopher Hilton <chris@vindaloo.com>
In-Reply-To: <CAPBZQG0FREus9gAnLCHpuV7RwMSa+ZLep-s2+oRWLgtXWW3zbw@mail.gmail.com>
Date: Tue, 16 Jun 2015 21:29:37 -0400
Cc: "freebsd-questions@freebsd.org." <freebsd-questions@freebsd.org>,
 freebsd-net <freebsd-net@freebsd.org>
Message-Id: <042EA756-79E8-40C5-836D-711B3E7DEED8@vindaloo.com>
References: <20150610211226.GA35372@kessel.vindaloo.com>
 <553873FD-ABD5-46C2-9542-CA5FC0146A71@vindaloo.com>
 <CAPBZQG0FREus9gAnLCHpuV7RwMSa+ZLep-s2+oRWLgtXWW3zbw@mail.gmail.com>
To: =?iso-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org>
X-Mailer: Apple Mail (2.1878.6)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2015 01:29:43 -0000


--Apple-Mail=_B0247221-0F05-4E32-B5CF-8C9FF74CB75C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=iso-8859-1


On Jun 15, 2015, at 6:23 PM, Ermal Lu=E7i <eri@freebsd.org> wrote:

>=20
>=20
> On Mon, Jun 15, 2015 at 5:13 PM, Christopher Hilton =
<chris@vindaloo.com> wrote:
>=20
> On Jun 10, 2015, at 5:12 PM, Christopher Sean Hilton =
<chris@vindaloo.com> wrote:
>=20
> > Good afternoon and thank you in advance.
> >
>=20

[snip]

> > The IPv4 connection died immediatly with "Connection refused". =
That's
> > consistent with my firewall rules which say to return a TCP RST for
> > unopened services. However, I expected the IPv6 connection attempt =
to
> > do the same thing and it didn't. To be clear, I expected:
> >
> >     block return log
> >
> > To return a TCP RST across both IPv4 and IPv6 connect attempts to
> > firewalled ports.
> >
> > If I'm missing something simple here please feel free to pass the
> > cluebat.
> >
> > Thanks again
> >
> > -- Chris
> >
> >
>=20
> Changing "block return log" to "block return in log" fixes the problem =
but I'm still confused about the difference in behavior between IPv6 and =
IPv4 here.
>=20
> Its just a parser of your configuration doing that.
> IIRC it even should be documented behaviour.
>=20

So I should expect block return to treat TCP under IPv4 differently than =
TCP under IPv6? If that's the case I much prefer the more consistent =
behavior I see out of the OpenBSD 5.7 box with pf I just put up. On that =
box, "block return" means send a RST packet under either IPv4 or IPv6.

-- Chris


--Apple-Mail=_B0247221-0F05-4E32-B5CF-8C9FF74CB75C
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVgM2CAAoJEE2ar4QHIpj4B0MQAKjut8wJceBBS5tUMv6PrB2O
EjXDyWPHBBzC9c//QghaVN5braBpRFkWFRrYh6lNfpvS41NoYIH77QEr4C9RhaRG
7ZHQVUfaiXKxPs2HITt7R9AUlXzqBB2JKwmDMRtVMfcqXTCxm1W3+mbWX+ER/u8O
A79+Wu/OlWSPGZfitbvMIsRn2g8kPIjRzggG9RhHPY74YhQ2x667IUYG2IhmnrkS
TQ/EBhhiZQmjNIzy1lX6R0xu/ek7bAnvxY8g37H/q5ELLKNyCKAkEPpF6FW1wlKf
ZuELfbKP8tobpUm1Iw9G7dZX5MTX/1uiLA1n650YJ73qm71dTBSQ39SBzZPyAUu6
9mixCQTZbPSey7MNLrVjY1NCBsL7xsRr2T12S7Hn3ytKjCnIpUwaC6G7GjyDu4GA
LYm/gvbo/hQldGdLpK69/PUn/WCZwD7UM7KTTxpm8VWZtYzzOGcCdsN4Dudql95J
MrTBeSMNVcjUJ9f7waqNYs8T8pxX2BOtZ4GFAqoIY38HgA6//3tWJ2gcDPBtaop4
Qt7QsyyDRP2Yw9URuLv8BniFCyPzrfv9atjWx7MIdNBv5TjDWmgji1qO5o5NnfqD
Oeghu1vu8qPjKBvdB1LCW9y81r8CRUywXOXqUZHMSDtSNVuVk1o4GEz4Gw7VxARk
8bw1eUqmtXGewsPo5yVj
=WteI
-----END PGP SIGNATURE-----

--Apple-Mail=_B0247221-0F05-4E32-B5CF-8C9FF74CB75C--