Date: Wed, 04 Mar 2020 18:07:07 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 244514] "reply-to" function in pf breaks RFC 1122 section 3.3.1.1 Local/Remote Decision Message-ID: <bug-244514-227-IZJZ2tSRTr@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-244514-227@https.bugs.freebsd.org/bugzilla/> References: <bug-244514-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D244514 pvz@itassistans.se changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pvz@itassistans.se --- Comment #8 from pvz@itassistans.se --- I agree with the earlier comment by Kristof Provost. This is not a FreeBSD = bug. pf is being told to route all reply packets back through a certain gateway,= and that is in fact what it's doing. If the way the administrator configures FreeBSD violates an RFC, that's on the administrator. There are many ways to configure firewall rules that go counter to what's written in an RFC, if th= at's what you want to do. It is also conversely possible to configure PF rules that do not cause this behaviour, if that's what you want to do. If a project or system administra= tor that uses pf generates pf rules that end up violating an RFC, it's on whoev= er's or whatever writing the rules to write them differently. In this case the firewall rule is working exactly as intended. You might be able to argue that it would be useful for pf to have a feature that would route packets down a certain interface, as opposed to specifical= ly through a specific gateway, but that would mean talking about introducing a= new feature, rather than changing behaviour of an old one. I think it might be a good idea, but if you really want pf to do that, you can already do that by writing rules that handle same-subnet traffic differently to cross-subnet traffic, although it'd end up a bit messy. Incidentally, I agree with ctminime's core problem description. The way OPNsense and pfSense use this feature is bogus. But it has nothing to do wi= th FreeBSD or pf. It's doing what it's being told, and pf should not second gu= ess what the administrator is telling it to do. There may be good reasons to configure your firewall in that way. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-244514-227-IZJZ2tSRTr>