Possible bug: pf ignores "reply-to" in block-rules

Kristian Kræmmer Nielsen jkkn at jkkn.dk
Sun Jan 31 00:50:09 UTC 2010 

Hey again,

I have been looking through the source-code of pf and wondering if this 
might be an issue with all packets that pf initiates and sends by it self?

As far as I can tell pf uses the method "pf_send_tcp" to initiase 
packages from itself, like the reset-packet used by "block return"-rules.

But routes like route-to/dub-to/reply-to seem only to be handle in 
"pf_route" which is only used for the packets pf processes.

THE ISSUE:
The problem is "pf_send_tcp" does not really call "pf_route" at any time 
so I guess routing is not handled at all for these packets?
Would we dear to call pf_route() somewhere in pf_send_tcp() to fix this 
- could someone give me a hint on this?

I also discovered an unrelated issue, in the sourcecode of pf_route() I 
see a comment saying "Copied from FreeBSD 5.1-CURRENT ip_output" - this 
code seem quiet old, e.x. there are no support for IPSEC in the copied 
code. Both outside the FreeBSD special case and ip_output in CURRENT 
does additional checks for IPSEC - I am not using IPSEC myself, but we 
might also have trouble routing IPSEC traffic until this copied code is 
updated?

Hope someone can hint me on pf_send_tcp/pf_route.

Thanks,
Kristian

On 30-01-2010 05:11, Kristian Kræmmer Nielsen wrote:
> Hey,
>
> I am experiencing an issue using reply-to on block rules.
>
> I am a "nice" firewall administrator and always uses "block return" 
> rules, thereby pf sends nice reset packets back to clients if they 
> attempt to connect to a port that pf is setup to block.
>
> My setup is using a gif0 tunnel to tunnel specific traffic from 
> another public IP-address to the server. Since it is important that 
> packages are then to be routed back the same way and not using the 
> default-route, I use "pass in reply-to gif0"-rules and this worked 
> perfectly for all incoming traffic.
>
> But, on my "block return in gif0 reply-to gif0" - pf seem to simply 
> ignore the reply-to parameter and instead decides to send the packs 
> back using the default route.
>
> I see the packages go out on the wrong interface, in my case my 
> ethernet interface (em0), that is the default route for the server.
>
> Could someone check to see if pf respects "reply-to" when sending 
> reset packages (block return)?
>
> Or if that is not the case explain to me what "reply-to" is suppose to 
> do on "block"-rules?
>
> Best regards,
> Kristian Kræmmer Nielsen,
> Odense, Denmark
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list