From owner-freebsd-bugs@freebsd.org Sat Feb 29 03:36:58 2020 Return-Path: Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 92C08252E35 for ; Sat, 29 Feb 2020 03:36:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 48TsXV38KTz4W5f for ; Sat, 29 Feb 2020 03:36:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 69697252E34; Sat, 29 Feb 2020 03:36:58 +0000 (UTC) Delivered-To: bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6924E252E33 for ; Sat, 29 Feb 2020 03:36:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48TsXV23T3z4W5Y for ; Sat, 29 Feb 2020 03:36:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 41A5FC983 for ; Sat, 29 Feb 2020 03:36:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 01T3awuJ036178 for ; Sat, 29 Feb 2020 03:36:58 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 01T3awim036177 for bugs@FreeBSD.org; Sat, 29 Feb 2020 03:36:58 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 244514] "reply-to" function in pf breaks RFC 1122 section 3.3.1.1 Local/Remote Decision Date: Sat, 29 Feb 2020 03:36:58 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: ctminime@yahoo.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Feb 2020 03:36:58 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D244514 Bug ID: 244514 Summary: "reply-to" function in pf breaks RFC 1122 section 3.3.1.1 Local/Remote Decision Product: Base System Version: Unspecified Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: ctminime@yahoo.com I discovered this doing some testing with the latest OPNsense. However, they insisted this was upstream and sure enough I was able to replicate the beha= vior in FreeBSD 11.3. Here is the mentioned RFC: https://tools.ietf.org/html/rfc1122#page-47 Please note that in section 3.5 INTERNET LAYER REQUIREMENTS SUMMARY, "Use address mask in local/remote decision" is marked as "MUST". Here is the bug report with OPNsense: https://github.com/opnsense/core/issues/3952 And the discussion on their forum: https://forum.opnsense.org/index.php?topic=3D15900.0 This was my testing rule set when confirming the FreeBSD/pf behavior. The commented out line (at the bottom) is what breaks my SSH connection from the local subnet 192.168.169.0/24. Connection from 192.168.169.200 to 192.168.169.197(FreeBSD). scrub on lo0 all fragment reassemble scrub on vtnet0 all fragment reassemble block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131" block drop in log quick inet proto tcp from any port =3D 0 to any label "7b5bdc64d7ae74be1932f6764a591da5" block drop in log quick inet proto udp from any port =3D 0 to any label "7b5bdc64d7ae74be1932f6764a591da5" block drop in log quick inet proto tcp from any to any port =3D 0 label "ae69f581dc429e3484a65f8ecd63baa5" block drop in log quick inet proto udp from any to any port =3D 0 label "ae69f581dc429e3484a65f8ecd63baa5" pass in log on vtnet0 proto udp from any port =3D bootps to any port =3D bo= otpc keep state label "613fb331c903de9502461c121104e092" pass out log on vtnet0 proto udp from any port =3D bootpc to any port =3D b= ootps keep state label "b8e1da9ac60ce8edb8e5a84bc5cec53e" pass in log quick on lo0 all flags S/SA keep state label "59162224cde3be673a9b295d6e24dcea" pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2" pass in quick on vtnet0 inet proto icmp from (vtnet0:network) to (vtnet0) k= eep state label "b16c302604774ef7a3969da93953d4da" pass in log quick on vtnet0 inet proto tcp from (vtnet0:network) to (vtnet0) port =3D ssh flags S/SA keep state label "ssh" #pass in log quick on vtnet0 reply-to (vtnet0 192.168.169.254) inet proto t= cp from (vtnet0:network) to (vtnet0) port =3D ssh flags S/SA keep state label = "ssh" --=20 You are receiving this mail because: You are the assignee for the bug.=