Date: Sun, 31 Jan 2010 01:49:58 +0100 From: =?ISO-8859-1?Q?Kristian_Kr=E6mmer_Nielsen?= <jkkn@jkkn.dk> To: freebsd-pf@freebsd.org Subject: Re: Possible bug: pf ignores "reply-to" in block-rules Message-ID: <4B64D3B6.3050400@jkkn.dk> In-Reply-To: <4B63B165.2020809@jkkn.dk> References: <4B63B165.2020809@jkkn.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Hey again, I have been looking through the source-code of pf and wondering if this might be an issue with all packets that pf initiates and sends by it self? As far as I can tell pf uses the method "pf_send_tcp" to initiase packages from itself, like the reset-packet used by "block return"-rules. But routes like route-to/dub-to/reply-to seem only to be handle in "pf_route" which is only used for the packets pf processes. THE ISSUE: The problem is "pf_send_tcp" does not really call "pf_route" at any time so I guess routing is not handled at all for these packets? Would we dear to call pf_route() somewhere in pf_send_tcp() to fix this - could someone give me a hint on this? I also discovered an unrelated issue, in the sourcecode of pf_route() I see a comment saying "Copied from FreeBSD 5.1-CURRENT ip_output" - this code seem quiet old, e.x. there are no support for IPSEC in the copied code. Both outside the FreeBSD special case and ip_output in CURRENT does additional checks for IPSEC - I am not using IPSEC myself, but we might also have trouble routing IPSEC traffic until this copied code is updated? Hope someone can hint me on pf_send_tcp/pf_route. Thanks, Kristian On 30-01-2010 05:11, Kristian Krĉmmer Nielsen wrote: > Hey, > > I am experiencing an issue using reply-to on block rules. > > I am a "nice" firewall administrator and always uses "block return" > rules, thereby pf sends nice reset packets back to clients if they > attempt to connect to a port that pf is setup to block. > > My setup is using a gif0 tunnel to tunnel specific traffic from > another public IP-address to the server. Since it is important that > packages are then to be routed back the same way and not using the > default-route, I use "pass in reply-to gif0"-rules and this worked > perfectly for all incoming traffic. > > But, on my "block return in gif0 reply-to gif0" - pf seem to simply > ignore the reply-to parameter and instead decides to send the packs > back using the default route. > > I see the packages go out on the wrong interface, in my case my > ethernet interface (em0), that is the default route for the server. > > Could someone check to see if pf respects "reply-to" when sending > reset packages (block return)? > > Or if that is not the case explain to me what "reply-to" is suppose to > do on "block"-rules? > > Best regards, > Kristian Krĉmmer Nielsen, > Odense, Denmark > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B64D3B6.3050400>