Open Radar

 
I found that some of PF firewall rules work incorrectly on wired Ethernet interface, but work correctly when WiFi is the only network adapter. For example, action "return-rst" does not return TCP RST packets.
This bug affects any wired ethernet connection. Even built-in iMac ethernet adapter vs built-in WiFi adapter. Tested on old and newer iMac's and macbook's with Thunderbolt Ethernet adapters.

Steps to Reproduce: 
In the first step let's try correct behaviour. To do so, we need macbook/iMac with WiFi only connection, no Thunderbolt Ethernet connected.

Flush all PF rules
$ sudo pfctl -F all

Create simple rule to block TCP connection to port 81, that should return TCP RST packet to abort connection instantly.
$ echo "block return-rst out proto tcp from any to any port 81" | sudo pfctl -e -f -

Check if the new rule was added correctly.
Here we can see the counter of packets that match firewall rule.
$ sudo pfctl -vsr
Packets: 0         Bytes: 0

Now trying to test firewall rule using curl that connects to port 81
$ curl http://example.com:81
curl: (7) Failed to connect to example.com port 81: Connection refused

See that connection refused immediately by firewall rule as expected. It's a correct behaviour.

Now test the incorrect behaviour. To do so we need to connect genuine Apple Thunderbolt Ethernet with active wired connection. WiFi connection can be disabled or stay enabled, this does not matter, bug will appear in both cases.

Leave firewall rules the same

Trying to use curl again
$ curl http://example.com:81
 .....waiting....
 curl: (28) Connection timed out
Now connection is hanging and closes after a while by timeout. But the firewall rule is still active and working.

We can look at the packet counters  pfctl -vsr and see that rule is matching and still blocking the connection. But without TCP RST reply.