From owner-freebsd-pf@FreeBSD.ORG Sun Jan 31 00:50:09 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6BE551065692 for ; Sun, 31 Jan 2010 00:50:09 +0000 (UTC) (envelope-from jkkn@jkkn.dk) Received: from blackbird.jkkn.net (blackbird.home6.jkkn.net [IPv6:2001:16d8:dd04:0:207:e9ff:fe62:64be]) by mx1.freebsd.org (Postfix) with ESMTP id 0E27B8FC0A for ; Sun, 31 Jan 2010 00:50:08 +0000 (UTC) Received: from [192.168.2.2] (online.jkkn.net. [83.91.180.61]) (authenticated bits=0) by blackbird.jkkn.net (envelope-from jkkn@jkkn.dk) (8.14.3/8.14.3) with ESMTP id o0V0o3H9005592 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Sun, 31 Jan 2010 01:50:04 +0100 (CET) (envelope-from jkkn@jkkn.dk) Message-ID: <4B64D3B6.3050400@jkkn.dk> Date: Sun, 31 Jan 2010 01:49:58 +0100 From: =?ISO-8859-1?Q?Kristian_Kr=E6mmer_Nielsen?= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4B63B165.2020809@jkkn.dk> In-Reply-To: <4B63B165.2020809@jkkn.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=2.1 required=5.0 tests=RCVD_IN_PBL, RCVD_IN_SORBS_DUL, SPF_PASS autolearn=no version=3.2.5 X-Spam-Report: * -0.0 SPF_PASS SPF: sender matches SPF record * 0.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [83.91.180.61 listed in zen.spamhaus.org] * 1.6 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [83.91.180.61 listed in dnsbl.sorbs.net] X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on blackbird.jkkn.net X-Virus-Scanned: clamav-milter 0.95.3 at blackbird.jkkn.net X-Virus-Status: Clean Subject: Re: Possible bug: pf ignores "reply-to" in block-rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jan 2010 00:50:09 -0000 Hey again, I have been looking through the source-code of pf and wondering if this might be an issue with all packets that pf initiates and sends by it self? As far as I can tell pf uses the method "pf_send_tcp" to initiase packages from itself, like the reset-packet used by "block return"-rules. But routes like route-to/dub-to/reply-to seem only to be handle in "pf_route" which is only used for the packets pf processes. THE ISSUE: The problem is "pf_send_tcp" does not really call "pf_route" at any time so I guess routing is not handled at all for these packets? Would we dear to call pf_route() somewhere in pf_send_tcp() to fix this - could someone give me a hint on this? I also discovered an unrelated issue, in the sourcecode of pf_route() I see a comment saying "Copied from FreeBSD 5.1-CURRENT ip_output" - this code seem quiet old, e.x. there are no support for IPSEC in the copied code. Both outside the FreeBSD special case and ip_output in CURRENT does additional checks for IPSEC - I am not using IPSEC myself, but we might also have trouble routing IPSEC traffic until this copied code is updated? Hope someone can hint me on pf_send_tcp/pf_route. Thanks, Kristian On 30-01-2010 05:11, Kristian Krĉmmer Nielsen wrote: > Hey, > > I am experiencing an issue using reply-to on block rules. > > I am a "nice" firewall administrator and always uses "block return" > rules, thereby pf sends nice reset packets back to clients if they > attempt to connect to a port that pf is setup to block. > > My setup is using a gif0 tunnel to tunnel specific traffic from > another public IP-address to the server. Since it is important that > packages are then to be routed back the same way and not using the > default-route, I use "pass in reply-to gif0"-rules and this worked > perfectly for all incoming traffic. > > But, on my "block return in gif0 reply-to gif0" - pf seem to simply > ignore the reply-to parameter and instead decides to send the packs > back using the default route. > > I see the packages go out on the wrong interface, in my case my > ethernet interface (em0), that is the default route for the server. > > Could someone check to see if pf respects "reply-to" when sending > reset packages (block return)? > > Or if that is not the case explain to me what "reply-to" is suppose to > do on "block"-rules? > > Best regards, > Kristian Krĉmmer Nielsen, > Odense, Denmark > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"