Hi, I've problems with block return-rst on IPv6. It works fine on IPv4 but fails on IPv6.
The following setup gives no problems: ipf6.rules: ----------------------- pass in log quick all pass out log quick all ----------------------- When I'm trying to connect to port 7777 it sends the RST so it works fine: tcpdump: ----------------------- 23:28:12.724297 3ffe:8114:2000:15b0::1.ica > 3ffe:8114:2000:15b0:203:47ff:feae:db86.afs3-fileserver: S 599052263:599052263(0) win 57344 <mss 1440,nop,wscale 0,nop,nop,timestamp 311441133 0> 23:28:12.724340 3ffe:8114:2000:15b0:203:47ff:feae:db86.afs3-fileserver > 3ffe:8114:2000:15b0::1.ica: R 0:0(0) ack 599052264 win 0 ----------------------- ipmon: ----------------------- 22/03/2003 23:28:12.724314 fxp0 @0:1 p 3ffe:8114:2000:15b0::1,1494 -> 3ffe:8114:2000:15b0:203:47ff:feae:db86,7000 PR tcp len 40 40 -S 599052263 0 57344 IN 22/03/2003 23:28:12.724335 fxp0 @0:1 p 3ffe:8114:2000:15b0:203:47ff:feae:db86,7000 -> 3ffe:8114:2000:15b0::1,1494 PR tcp len 40 20 -AR 0 599052264 0 OUT ----------------------- But the following setup with a block return-rst doesn't works as expected: ipf6.rules: ----------------------- pass in quick on lo0 all pass out quick on lo0 all pass out log quick on fxp0 proto tcp all keep state pass out log quick on fxp0 proto udp all keep state pass out log quick on fxp0 proto ipv6-icmp all keep state pass in log quick on fxp0 proto tcp from any to any port = 21 flags S keep state pass in log quick on fxp0 proto tcp from any to any port = 22 flags S keep state pass in log quick on fxp0 proto tcp from any to any port = 80 flags S keep state pass in log quick on fxp0 proto tcp from any to any port = 113 flags S keep state pass in log quick on fxp0 proto udp from any to any port = 53 keep state pass in log quick on fxp0 proto ipv6-icmp from any to any keep state block return-rst in log quick on fxp0 proto tcp all block return-icmp-as-dest(port-unr) in log quick on fxp0 proto udp all block return-icmp-as-dest(host-unr) in log quick on fxp0 proto ipv6-icmp all block in log quick on fxp0 all block out log quick on fxp0 all ----------------------- And again a connect to port 7777: tcpdump: ----------------------- 23:31:57.855063 3ffe:8114:2000:15b0::1.liberty-lm > 3ffe:8114:2000:15b0:203:47ff:feae:db86.afs3-fileserver: S 230847522:230847522(0) win 57344 <mss 1440,nop,wscale 0,nop,nop,timestamp 311463648 0> ----------------------- ipmon: ----------------------- 22/03/2003 23:31:57.855076 fxp0 @0:8 b 3ffe:8114:2000:15b0::1,1496 -> 3ffe:8114:2000:15b0:203:47ff:feae:db86,7000 PR tcp len 40 40 -S 230847522 0 57344 IN ----------------------- The first packet arrives and while a RST should be sent back, nothing happens. However, the stats for the block return-rst rule are being increased. Is this some kind of bug?? My environment: # uname -srm FreeBSD 4.8-RC i386 # ipf -V ipf: IP Filter: v3.4.31 (336) Kernel: IP Filter: v3.4.31 Thanks, Peter
