On Jun 15, 2015, at 6:23 PM, Ermal Luçi <e...@freebsd.org> wrote: > > > On Mon, Jun 15, 2015 at 5:13 PM, Christopher Hilton <ch...@vindaloo.com> > wrote: > > On Jun 10, 2015, at 5:12 PM, Christopher Sean Hilton <ch...@vindaloo.com> > wrote: > > > Good afternoon and thank you in advance. > > >
[snip] > > The IPv4 connection died immediatly with "Connection refused". That's > > consistent with my firewall rules which say to return a TCP RST for > > unopened services. However, I expected the IPv6 connection attempt to > > do the same thing and it didn't. To be clear, I expected: > > > > block return log > > > > To return a TCP RST across both IPv4 and IPv6 connect attempts to > > firewalled ports. > > > > If I'm missing something simple here please feel free to pass the > > cluebat. > > > > Thanks again > > > > -- Chris > > > > > > Changing "block return log" to "block return in log" fixes the problem but > I'm still confused about the difference in behavior between IPv6 and IPv4 > here. > > Its just a parser of your configuration doing that. > IIRC it even should be documented behaviour. > So I should expect block return to treat TCP under IPv4 differently than TCP under IPv6? If that's the case I much prefer the more consistent behavior I see out of the OpenBSD 5.7 box with pf I just put up. On that box, "block return" means send a RST packet under either IPv4 or IPv6. -- Chris
signature.asc
Description: Message signed with OpenPGP using GPGMail
