On Jun 10, 2015, at 5:12 PM, Christopher Sean Hilton <ch...@vindaloo.com> wrote:
> Good afternoon and thank you in advance.
>
> I'm running FreeBSD 9.3-STABLE:
>
> FreeBSD anza.example.com 9.3-STABLE \
> FreeBSD 9.3-STABLE #0 r269627: Wed Aug 6 13:48:46 EDT 2014 \
> root@dagobah:/usr/obj/amd64/usr/src/sys/GENERIC amd64
>
> on my imap mailserver. It's dual homed and has both A and AAAA records
> in DNS:
>
> $ host anza.example.com
> anza.example.com has address 10.17.53.96
> anza.example.com has IPv6 address fe80::aaaa:bbbb:60:0
>
>
> My pf.conf seems to be pretty standard...
>
> ext_if="em0"
> int_if="em1"
>
> set skip on { lo $int_if }
>
> table <my_network> persist const { em0:network }
> table <friends> persist file "/etc/pf/table/friends"
>
> table <blackhole> persist
>
> scrub in no-df
>
> ## Block inbound packets by default. Use return rather than drop
> ## to make debugging easier as this server is currently internal
> ## only.
>
> block return log
> block drop log quick from <blackhole>
>
> pass out
>
> antispoof quick for { lo $int_if }
>
> ## Pass ssh but treat jerks and a*holes accordingly.
>
> pass in on $ext_if proto tcp from <friends> to ($ext_if) port ssh \
> keep state
>
> pass in on $ext_if proto tcp from !<friends> to ($ext_if) port ssh \
> keep state \
> (max-src-conn 5, max-src-conn-rate 5/30, \
> overload <blackhole> flush global)
>
> ...
>
> Last night as I was testing the configuration of the imap server, I
> tripped over some unexpected behaviour. *** The issue was that I had
> forgotten to add rules for imap to my pf.conf. Testing failed because
> the service was firewalled off. This was simple to fix and is only
> ancilliary to my question. ***
>
> Here's what I got when I used telnet to connect directly to the
> service across my network:
>
> $ telnet anza.example.com 143
> Trying 10.17.53.96...
> telnet: connect to address 10.17.53.96: Connection refused
> Trying fe80::aaaa:bbbb:60:0...
> telnet: connect to address fe80::aaaa:bbbb:60:0: Operation timed out
> telnet: Unable to connect to remote host
>
> The IPv4 connection died immediatly with "Connection refused". That's
> consistent with my firewall rules which say to return a TCP RST for
> unopened services. However, I expected the IPv6 connection attempt to
> do the same thing and it didn't. To be clear, I expected:
>
> block return log
>
> To return a TCP RST across both IPv4 and IPv6 connect attempts to
> firewalled ports.
>
> If I'm missing something simple here please feel free to pass the
> cluebat.
>
> Thanks again
>
> -- Chris
>
>
Changing "block return log" to "block return in log" fixes the problem but I'm
still confused about the difference in behavior between IPv6 and IPv4 here.
-- Chris
signature.asc
Description: Message signed with OpenPGP using GPGMail
