Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 10 Jun 2015 17:12:26 -0400
From:      Christopher Sean Hilton <chris@vindaloo.com>
To:        freebsd-questions@freebsd.org
Cc:        freebsd-misc@freebsd.org
Subject:   pf block policy for IPv6 and IPv4
Message-ID:  <20150610211226.GA35372@kessel.vindaloo.com>

Next in thread | Raw E-Mail | Index | Archive | Help
Good afternoon and thank you in advance.

I'm running FreeBSD 9.3-STABLE:
      
     FreeBSD anza.example.com 9.3-STABLE \
     FreeBSD 9.3-STABLE #0 r269627: Wed Aug  6 13:48:46 EDT 2014 \
     root@dagobah:/usr/obj/amd64/usr/src/sys/GENERIC  amd64 

on my imap mailserver. It's dual homed and has both A and AAAA records
in DNS:

     $ host anza.example.com
     anza.example.com has address 10.17.53.96
     anza.example.com has IPv6 address fe80::aaaa:bbbb:60:0


My pf.conf seems to be pretty standard...

     ext_if="em0"
     int_if="em1"

     set skip on { lo $int_if }

     table <my_network> persist const { em0:network }
     table <friends> persist file "/etc/pf/table/friends"

     table <blackhole> persist

     scrub in no-df

     ## Block inbound packets by default. Use return rather than drop
     ## to make debugging easier as this server is currently internal
     ## only.

     block return log
     block drop log quick from <blackhole>

     pass out

     antispoof quick for { lo $int_if }

     ## Pass ssh but treat jerks and a*holes accordingly.

     pass in on $ext_if proto tcp from <friends> to ($ext_if) port ssh \
             keep state

     pass in on $ext_if proto tcp from !<friends> to ($ext_if) port ssh \
             keep state \
             (max-src-conn 5, max-src-conn-rate 5/30, \
             overload <blackhole> flush global)

     ...

Last night as I was testing the configuration of the imap server, I
tripped over some unexpected behaviour. *** The issue was that I had
forgotten to add rules for imap to my pf.conf. Testing failed because
the service was firewalled off. This was simple to fix and is only
ancilliary to my question. *** 

Here's what I got when I used telnet to connect directly to the
service across my network:

     $ telnet anza.example.com 143
     Trying 10.17.53.96...
     telnet: connect to address 10.17.53.96: Connection refused
     Trying fe80::aaaa:bbbb:60:0...
     telnet: connect to address fe80::aaaa:bbbb:60:0: Operation timed out
     telnet: Unable to connect to remote host

The IPv4 connection died immediatly with "Connection refused". That's
consistent with my firewall rules which say to return a TCP RST for
unopened services. However, I expected the IPv6 connection attempt to
do the same thing and it didn't. To be clear, I expected:

     block return log

To return a TCP RST across both IPv4 and IPv6 connect attempts to
firewalled ports.

If I'm missing something simple here please feel free to pass the
cluebat.

Thanks again

-- Chris





Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20150610211226.GA35372>