PF rules works incorrectly on wired Ethernet interface

Murus
Post Reply
zhovner
Posts: 1
Joined: Thu Nov 29, 2018 1:31 pm

PF rules works incorrectly on wired Ethernet interface

Post by zhovner » Thu Nov 29, 2018 1:36 pm

I found that some of PF firewall rules work incorrectly on wired Ethernet interface, but work correctly when WiFi is the only network adapter. For example, action "return-rst" does not return TCP RST packets.
This bug affects any wired ethernet connection. Even built-in iMac ethernet adapter vs built-in WiFi adapter. Tested on old and newer iMac's and macbook's with Thunderbolt Ethernet adapters.

Steps to Reproduce:
In the first step let's try correct behaviour. To do so, we need macbook/iMac with WiFi only connection, no Thunderbolt Ethernet connected.

Flush all PF rules

Code: Select all

$ sudo pfctl -F all
Create simple rule to block TCP connection to port 81, that should return TCP RST packet to abort connection instantly.

Code: Select all

$ echo "block return-rst out proto tcp from any to any port 81" | sudo pfctl -e -f -
Check if the new rule was added correctly.
Here we can see the counter of packets that match firewall rule.

Code: Select all

$ sudo pfctl -vsr
Packets: 0         Bytes: 0
Now trying to test firewall rule using curl that connects to port 81

Code: Select all

$ curl http://example.com:81
curl: (7) Failed to connect to example.com port 81: Connection refused
See that connection refused immediately by firewall rule as expected. It's a correct behaviour.

Now test the incorrect behaviour. To do so we need to connect genuine Apple Thunderbolt Ethernet with active wired connection. WiFi connection can be disabled or stay enabled, this does not matter, bug will appear in both cases.

Leave firewall rules the same

Trying to use curl again

Code: Select all

$ curl http://example.com:81
 .....waiting....
 curl: (28) Connection timed out
Now connection is hanging and closes after a while by timeout. But the firewall rule is still active and working.

We can look at the packet counters pfctl -vsr and see that rule is matching and still blocking the connection. But without TCP RST reply.

Post Reply