block-policy return ignored with ipv6?

Tue, 12 Feb 2008 22:31:32 -0800 

Hi,

given the following ruleset:

[EMAIL PROTECTED] ~]# uname -rs
OpenBSD 4.2 (stable)
[EMAIL PROTECTED] ~]# cat /etc/pf.conf
set block-policy return
pass log keep state
block return quick log inet proto tcp from any to (self) port 23
block return quick log inet6 proto tcp from any to (self) port 23
[EMAIL PROTECTED] ~]# pfctl -sr
pass log all flags S/SA keep state
block return log quick inet proto tcp from any to (self) port = telnet
block return log quick inet6 proto tcp from any to (self) port = telnet
[EMAIL PROTECTED] ~]#
it seems that ipv6 packets to TCP 23 are dropped while ipv4 packets are rejected: 

[EMAIL PROTECTED] ~]# time telnet 192.168.0.90 23
Trying 192.168.0.90...
telnet: connect to address 192.168.0.90: Connection refused
   0m0.01s real     0m0.00s user     0m0.01s system
[EMAIL PROTECTED] ~]# time telnet 2001:db8::90 23
Trying 2001:db8::90...
telnet: connect to address 2001:db8::90: Connection timed out
   1m15.00s real     0m0.00s user     0m0.01s system
[EMAIL PROTECTED] ~]#

[EMAIL PROTECTED] ~]# tcpdump -n port 23
tcpdump: listening on bge0, link-type EN10MB
19:34:22.368490 192.168.0.80.41744 > 192.168.0.90.23: S 1404470573:1404470573(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1014512094 0> (DF) [tos 0x10] 19:34:22.368528 192.168.0.90.23 > 192.168.0.80.41744: R 0:0(0) ack 1404470574 win 0 (DF) [tos 0x10] 19:34:29.043558 2001:db8::80.20054 > 2001:db8::90.23: S 3867869617:3867869617(0) win 16384 <mss 1440,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3656304168[|tcp]> [flowlabel 0xafb8] 19:34:35.033822 2001:db8::80.20054 > 2001:db8::90.23: S 3867869617:3867869617(0) win 16384 <mss 1440,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3656304180[|tcp]> [flowlabel 0xafb8] 19:34:47.033356 2001:db8::80.20054 > 2001:db8::90.23: S 3867869617:3867869617(0) win 16384 <mss 1440,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3656304204[|tcp]> [flowlabel 0xafb8] 
^C
11360 packets received by filter
0 packets dropped by kernel
[EMAIL PROTECTED] ~]#

Is that expected?

Thanks, Helmut

--
No Swen today, my love has gone away
My mailbox stands for lorn, a symbol of the dawn

Reply via email to