>Number:         29665
>Category:       kern
>Synopsis:       IPFilter doesn't send out TCP-RST packets via IPv6
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 12 01:26:00 +0000 2005
>Originator:     Matthias Scheler
>Release:        NetBSD 2.99.16 (2005-03-11 sources)
>Organization:
Matthias Scheler                                  http://scheler.de/~matthias/
>Environment:
System: NetBSD ivanova.zhadum.de 2.99.16 NetBSD 2.99.16 (IVANOVA) #0: Fri Mar 11 17:25:55 GMT 2005  tron@colwyn.zhadum.de:/export/scratch/tron/build.18111a/sys/compile/IVANOVA sparc
Architecture: sparc
Machine: sparc
>Description:
After upgrading my firewall from NetBSD 2.0.1 to 2.99.16 it now longer
sends TCP reset packets to block incoming connections:

> telnet colwyn.zhadum.de   
Trying 2001:8b0:114:1::2...
telnet: connect to address 2001:8b0:114:1::2: Connection timed out
Trying 81.187.181.114...
telnet: Unable to connect to remote host: Connection refused

As you can see fromt the output above it still works fine with IPv4:

I use (almost) identical rules for IPv4 and IPv6:

/etc/ipf.conf:
block return-rst in log on hme0 proto tcp from any to any port < 1024

/etc/ipf6.conf:
block return-rst in log on stf0 proto tcp from any to any port < 1024

I've run "tcpdump" on "hme0" to examine the problem and the firewall
didn't send out an answer to the SYN packet.

>How-To-Repeat:
1.) Add a rule like this to "ipf6.conf":

block return-rst in log on stf0 proto tcp from any to any port < 1024

2.) Run "telnet system-protected-by-above-rule".

>Fix:
None provided.