Date: Sat, 29 Feb 2020 03:36:58 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 244514] "reply-to" function in pf breaks RFC 1122 section 3.3.1.1 Local/Remote Decision Message-ID: <bug-244514-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D244514 Bug ID: 244514 Summary: "reply-to" function in pf breaks RFC 1122 section 3.3.1.1 Local/Remote Decision Product: Base System Version: Unspecified Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: ctminime@yahoo.com I discovered this doing some testing with the latest OPNsense. However, they insisted this was upstream and sure enough I was able to replicate the beha= vior in FreeBSD 11.3. Here is the mentioned RFC: https://tools.ietf.org/html/rfc1122#page-47 Please note that in section 3.5 INTERNET LAYER REQUIREMENTS SUMMARY, "Use address mask in local/remote decision" is marked as "MUST". Here is the bug report with OPNsense: https://github.com/opnsense/core/issues/3952 And the discussion on their forum: https://forum.opnsense.org/index.php?topic=3D15900.0 This was my testing rule set when confirming the FreeBSD/pf behavior. The commented out line (at the bottom) is what breaks my SSH connection from the local subnet 192.168.169.0/24. Connection from 192.168.169.200 to 192.168.169.197(FreeBSD). scrub on lo0 all fragment reassemble scrub on vtnet0 all fragment reassemble block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131" block drop in log quick inet proto tcp from any port =3D 0 to any label "7b5bdc64d7ae74be1932f6764a591da5" block drop in log quick inet proto udp from any port =3D 0 to any label "7b5bdc64d7ae74be1932f6764a591da5" block drop in log quick inet proto tcp from any to any port =3D 0 label "ae69f581dc429e3484a65f8ecd63baa5" block drop in log quick inet proto udp from any to any port =3D 0 label "ae69f581dc429e3484a65f8ecd63baa5" pass in log on vtnet0 proto udp from any port =3D bootps to any port =3D bo= otpc keep state label "613fb331c903de9502461c121104e092" pass out log on vtnet0 proto udp from any port =3D bootpc to any port =3D b= ootps keep state label "b8e1da9ac60ce8edb8e5a84bc5cec53e" pass in log quick on lo0 all flags S/SA keep state label "59162224cde3be673a9b295d6e24dcea" pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2" pass in quick on vtnet0 inet proto icmp from (vtnet0:network) to (vtnet0) k= eep state label "b16c302604774ef7a3969da93953d4da" pass in log quick on vtnet0 inet proto tcp from (vtnet0:network) to (vtnet0) port =3D ssh flags S/SA keep state label "ssh" #pass in log quick on vtnet0 reply-to (vtnet0 192.168.169.254) inet proto t= cp from (vtnet0:network) to (vtnet0) port =3D ssh flags S/SA keep state label = "ssh" --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-244514-227>