PF rule using return-rst on Mac OS X does not reply with TCP reset
up vote
2
down vote
favorite
I'm trying to add a simple PF rule:
block return-rst out proto tcp from any to any port 33128
to filter all outgoing traffic to TCP port 33128, and I'd like it to respond with a reset. However, when I test it with nc
, it times out, instead of returning right away with a connection refused error, which suggests packets going to port 33128
are dropped without a TCP reset being sent:
$ nc -v 172.22.2.2 33128
nc: connectx to 172.22.2.2 port 33128 (tcp) failed: Operation timed out
The way I enable PF and add this rule:
$ echo "block return-rst out proto tcp from any to any port 33128" > pf.conf
$ sudo pfctl -f pf.conf
$ sudo pfctl -e
What's wrong with this rule?
macos networking firewall bsd pf
add a comment |
up vote
2
down vote
favorite
I'm trying to add a simple PF rule:
block return-rst out proto tcp from any to any port 33128
to filter all outgoing traffic to TCP port 33128, and I'd like it to respond with a reset. However, when I test it with nc
, it times out, instead of returning right away with a connection refused error, which suggests packets going to port 33128
are dropped without a TCP reset being sent:
$ nc -v 172.22.2.2 33128
nc: connectx to 172.22.2.2 port 33128 (tcp) failed: Operation timed out
The way I enable PF and add this rule:
$ echo "block return-rst out proto tcp from any to any port 33128" > pf.conf
$ sudo pfctl -f pf.conf
$ sudo pfctl -e
What's wrong with this rule?
macos networking firewall bsd pf
having the same issue. I'm trying to use pfctl to simulate a completely dead connection to a specific domain for some tests, but all i get is a timeout
– Fernando Mazzon
Jul 30 '15 at 18:40
What version of MacOS are you running? This works perfectly for me on 10.10. I assumepfctl -e
returns without error?
– eradman
Aug 5 '15 at 14:42
@eradman Running 10.10 too. $ sudo pfctl -e No ALTQ support in kernel ALTQ related functions disabled pfctl: pf already enabled. Other rules work just fine, it's just this rule having issues, getting timeouts instead of reset
– Fernando Mazzon
Aug 10 '15 at 12:42
add a comment |
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I'm trying to add a simple PF rule:
block return-rst out proto tcp from any to any port 33128
to filter all outgoing traffic to TCP port 33128, and I'd like it to respond with a reset. However, when I test it with nc
, it times out, instead of returning right away with a connection refused error, which suggests packets going to port 33128
are dropped without a TCP reset being sent:
$ nc -v 172.22.2.2 33128
nc: connectx to 172.22.2.2 port 33128 (tcp) failed: Operation timed out
The way I enable PF and add this rule:
$ echo "block return-rst out proto tcp from any to any port 33128" > pf.conf
$ sudo pfctl -f pf.conf
$ sudo pfctl -e
What's wrong with this rule?
macos networking firewall bsd pf
I'm trying to add a simple PF rule:
block return-rst out proto tcp from any to any port 33128
to filter all outgoing traffic to TCP port 33128, and I'd like it to respond with a reset. However, when I test it with nc
, it times out, instead of returning right away with a connection refused error, which suggests packets going to port 33128
are dropped without a TCP reset being sent:
$ nc -v 172.22.2.2 33128
nc: connectx to 172.22.2.2 port 33128 (tcp) failed: Operation timed out
The way I enable PF and add this rule:
$ echo "block return-rst out proto tcp from any to any port 33128" > pf.conf
$ sudo pfctl -f pf.conf
$ sudo pfctl -e
What's wrong with this rule?
macos networking firewall bsd pf
macos networking firewall bsd pf
edited Apr 9 '15 at 20:50
asked Apr 9 '15 at 20:46
ldx
1115
1115
having the same issue. I'm trying to use pfctl to simulate a completely dead connection to a specific domain for some tests, but all i get is a timeout
– Fernando Mazzon
Jul 30 '15 at 18:40
What version of MacOS are you running? This works perfectly for me on 10.10. I assumepfctl -e
returns without error?
– eradman
Aug 5 '15 at 14:42
@eradman Running 10.10 too. $ sudo pfctl -e No ALTQ support in kernel ALTQ related functions disabled pfctl: pf already enabled. Other rules work just fine, it's just this rule having issues, getting timeouts instead of reset
– Fernando Mazzon
Aug 10 '15 at 12:42
add a comment |
having the same issue. I'm trying to use pfctl to simulate a completely dead connection to a specific domain for some tests, but all i get is a timeout
– Fernando Mazzon
Jul 30 '15 at 18:40
What version of MacOS are you running? This works perfectly for me on 10.10. I assumepfctl -e
returns without error?
– eradman
Aug 5 '15 at 14:42
@eradman Running 10.10 too. $ sudo pfctl -e No ALTQ support in kernel ALTQ related functions disabled pfctl: pf already enabled. Other rules work just fine, it's just this rule having issues, getting timeouts instead of reset
– Fernando Mazzon
Aug 10 '15 at 12:42
having the same issue. I'm trying to use pfctl to simulate a completely dead connection to a specific domain for some tests, but all i get is a timeout
– Fernando Mazzon
Jul 30 '15 at 18:40
having the same issue. I'm trying to use pfctl to simulate a completely dead connection to a specific domain for some tests, but all i get is a timeout
– Fernando Mazzon
Jul 30 '15 at 18:40
What version of MacOS are you running? This works perfectly for me on 10.10. I assume
pfctl -e
returns without error?– eradman
Aug 5 '15 at 14:42
What version of MacOS are you running? This works perfectly for me on 10.10. I assume
pfctl -e
returns without error?– eradman
Aug 5 '15 at 14:42
@eradman Running 10.10 too. $ sudo pfctl -e No ALTQ support in kernel ALTQ related functions disabled pfctl: pf already enabled. Other rules work just fine, it's just this rule having issues, getting timeouts instead of reset
– Fernando Mazzon
Aug 10 '15 at 12:42
@eradman Running 10.10 too. $ sudo pfctl -e No ALTQ support in kernel ALTQ related functions disabled pfctl: pf already enabled. Other rules work just fine, it's just this rule having issues, getting timeouts instead of reset
– Fernando Mazzon
Aug 10 '15 at 12:42
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
I found that some of PF firewall rules work incorrectly after Thunderbolt Ethernet is connected, but work correctly when WiFi is the only network adapter. For example, action "return-rst" does not return TCP RST packets .
Update
I figured out that this bug affects any wired ethernet connection. Even built-in iMac ethernet adapter vs built-in WiFi adapter. Tested on old and newer iMac's.
Steps to Reproduce:
In the first step let's try correct behaviour. To do so, we need macbook/iMac with WiFi only connection, no Thunderbolt Ethernet connected.
Flush all PF rules
sudo pfctl -F all
Create simple rule to block TCP connection to port 81, that should return TCP RST packet to abort connection instantly.
echo "block return-rst out proto tcp from any to any port 81" | sudo pfctl -e -f -
Check if the new rule was added correctly.
Here we can see the counter of packets that match firewall rule.pfctl -vsr
Packets: 0 Bytes: 0Now trying to test firewall rule using curl that connects to port 81
curl http://example.com:81
curl: (7) Failed to connect to example.com port 81: Connection refused
See that connection refused immediately by firewall rule as expected. It's a correct behaviour.
Now test the incorrect behaviour. To do so we need to connect genuine Apple Thunderbolt Ethernet with active wired connection. WiFi connection can be disabled or stay enabled, this does not matter, bug will appear in both cases.
Leave firewall rules the same
Trying to use curl again
curl http://example.com:81
.....waiting....
curl: (28) Connection timed out
Now connection is hanging and closes after a while by timeout. But the firewall rule is still active and working.We can look at the packet counters
pfctl -vsr
and see that rule is matching and still blocking the connection. But without TCP RST reply.
My setup:
macOS: 10.14.1 (18B75)
MacBook Pro (Retina, 15-inch, Mid 2015)
Apple Thunderbolt 2 Ethernet adapter (57762)
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
I found that some of PF firewall rules work incorrectly after Thunderbolt Ethernet is connected, but work correctly when WiFi is the only network adapter. For example, action "return-rst" does not return TCP RST packets .
Update
I figured out that this bug affects any wired ethernet connection. Even built-in iMac ethernet adapter vs built-in WiFi adapter. Tested on old and newer iMac's.
Steps to Reproduce:
In the first step let's try correct behaviour. To do so, we need macbook/iMac with WiFi only connection, no Thunderbolt Ethernet connected.
Flush all PF rules
sudo pfctl -F all
Create simple rule to block TCP connection to port 81, that should return TCP RST packet to abort connection instantly.
echo "block return-rst out proto tcp from any to any port 81" | sudo pfctl -e -f -
Check if the new rule was added correctly.
Here we can see the counter of packets that match firewall rule.pfctl -vsr
Packets: 0 Bytes: 0Now trying to test firewall rule using curl that connects to port 81
curl http://example.com:81
curl: (7) Failed to connect to example.com port 81: Connection refused
See that connection refused immediately by firewall rule as expected. It's a correct behaviour.
Now test the incorrect behaviour. To do so we need to connect genuine Apple Thunderbolt Ethernet with active wired connection. WiFi connection can be disabled or stay enabled, this does not matter, bug will appear in both cases.
Leave firewall rules the same
Trying to use curl again
curl http://example.com:81
.....waiting....
curl: (28) Connection timed out
Now connection is hanging and closes after a while by timeout. But the firewall rule is still active and working.We can look at the packet counters
pfctl -vsr
and see that rule is matching and still blocking the connection. But without TCP RST reply.
My setup:
macOS: 10.14.1 (18B75)
MacBook Pro (Retina, 15-inch, Mid 2015)
Apple Thunderbolt 2 Ethernet adapter (57762)
add a comment |
up vote
0
down vote
I found that some of PF firewall rules work incorrectly after Thunderbolt Ethernet is connected, but work correctly when WiFi is the only network adapter. For example, action "return-rst" does not return TCP RST packets .
Update
I figured out that this bug affects any wired ethernet connection. Even built-in iMac ethernet adapter vs built-in WiFi adapter. Tested on old and newer iMac's.
Steps to Reproduce:
In the first step let's try correct behaviour. To do so, we need macbook/iMac with WiFi only connection, no Thunderbolt Ethernet connected.
Flush all PF rules
sudo pfctl -F all
Create simple rule to block TCP connection to port 81, that should return TCP RST packet to abort connection instantly.
echo "block return-rst out proto tcp from any to any port 81" | sudo pfctl -e -f -
Check if the new rule was added correctly.
Here we can see the counter of packets that match firewall rule.pfctl -vsr
Packets: 0 Bytes: 0Now trying to test firewall rule using curl that connects to port 81
curl http://example.com:81
curl: (7) Failed to connect to example.com port 81: Connection refused
See that connection refused immediately by firewall rule as expected. It's a correct behaviour.
Now test the incorrect behaviour. To do so we need to connect genuine Apple Thunderbolt Ethernet with active wired connection. WiFi connection can be disabled or stay enabled, this does not matter, bug will appear in both cases.
Leave firewall rules the same
Trying to use curl again
curl http://example.com:81
.....waiting....
curl: (28) Connection timed out
Now connection is hanging and closes after a while by timeout. But the firewall rule is still active and working.We can look at the packet counters
pfctl -vsr
and see that rule is matching and still blocking the connection. But without TCP RST reply.
My setup:
macOS: 10.14.1 (18B75)
MacBook Pro (Retina, 15-inch, Mid 2015)
Apple Thunderbolt 2 Ethernet adapter (57762)
add a comment |
up vote
0
down vote
up vote
0
down vote
I found that some of PF firewall rules work incorrectly after Thunderbolt Ethernet is connected, but work correctly when WiFi is the only network adapter. For example, action "return-rst" does not return TCP RST packets .
Update
I figured out that this bug affects any wired ethernet connection. Even built-in iMac ethernet adapter vs built-in WiFi adapter. Tested on old and newer iMac's.
Steps to Reproduce:
In the first step let's try correct behaviour. To do so, we need macbook/iMac with WiFi only connection, no Thunderbolt Ethernet connected.
Flush all PF rules
sudo pfctl -F all
Create simple rule to block TCP connection to port 81, that should return TCP RST packet to abort connection instantly.
echo "block return-rst out proto tcp from any to any port 81" | sudo pfctl -e -f -
Check if the new rule was added correctly.
Here we can see the counter of packets that match firewall rule.pfctl -vsr
Packets: 0 Bytes: 0Now trying to test firewall rule using curl that connects to port 81
curl http://example.com:81
curl: (7) Failed to connect to example.com port 81: Connection refused
See that connection refused immediately by firewall rule as expected. It's a correct behaviour.
Now test the incorrect behaviour. To do so we need to connect genuine Apple Thunderbolt Ethernet with active wired connection. WiFi connection can be disabled or stay enabled, this does not matter, bug will appear in both cases.
Leave firewall rules the same
Trying to use curl again
curl http://example.com:81
.....waiting....
curl: (28) Connection timed out
Now connection is hanging and closes after a while by timeout. But the firewall rule is still active and working.We can look at the packet counters
pfctl -vsr
and see that rule is matching and still blocking the connection. But without TCP RST reply.
My setup:
macOS: 10.14.1 (18B75)
MacBook Pro (Retina, 15-inch, Mid 2015)
Apple Thunderbolt 2 Ethernet adapter (57762)
I found that some of PF firewall rules work incorrectly after Thunderbolt Ethernet is connected, but work correctly when WiFi is the only network adapter. For example, action "return-rst" does not return TCP RST packets .
Update
I figured out that this bug affects any wired ethernet connection. Even built-in iMac ethernet adapter vs built-in WiFi adapter. Tested on old and newer iMac's.
Steps to Reproduce:
In the first step let's try correct behaviour. To do so, we need macbook/iMac with WiFi only connection, no Thunderbolt Ethernet connected.
Flush all PF rules
sudo pfctl -F all
Create simple rule to block TCP connection to port 81, that should return TCP RST packet to abort connection instantly.
echo "block return-rst out proto tcp from any to any port 81" | sudo pfctl -e -f -
Check if the new rule was added correctly.
Here we can see the counter of packets that match firewall rule.pfctl -vsr
Packets: 0 Bytes: 0Now trying to test firewall rule using curl that connects to port 81
curl http://example.com:81
curl: (7) Failed to connect to example.com port 81: Connection refused
See that connection refused immediately by firewall rule as expected. It's a correct behaviour.
Now test the incorrect behaviour. To do so we need to connect genuine Apple Thunderbolt Ethernet with active wired connection. WiFi connection can be disabled or stay enabled, this does not matter, bug will appear in both cases.
Leave firewall rules the same
Trying to use curl again
curl http://example.com:81
.....waiting....
curl: (28) Connection timed out
Now connection is hanging and closes after a while by timeout. But the firewall rule is still active and working.We can look at the packet counters
pfctl -vsr
and see that rule is matching and still blocking the connection. But without TCP RST reply.
My setup:
macOS: 10.14.1 (18B75)
MacBook Pro (Retina, 15-inch, Mid 2015)
Apple Thunderbolt 2 Ethernet adapter (57762)
edited Nov 28 at 13:59
answered Nov 28 at 11:52
zhovner
12
12
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f899780%2fpf-rule-using-return-rst-on-mac-os-x-does-not-reply-with-tcp-reset%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
having the same issue. I'm trying to use pfctl to simulate a completely dead connection to a specific domain for some tests, but all i get is a timeout
– Fernando Mazzon
Jul 30 '15 at 18:40
What version of MacOS are you running? This works perfectly for me on 10.10. I assume
pfctl -e
returns without error?– eradman
Aug 5 '15 at 14:42
@eradman Running 10.10 too. $ sudo pfctl -e No ALTQ support in kernel ALTQ related functions disabled pfctl: pf already enabled. Other rules work just fine, it's just this rule having issues, getting timeouts instead of reset
– Fernando Mazzon
Aug 10 '15 at 12:42