[Bug 201519] pf NAT translates ICMP type 3 packects incorrectly

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed Aug 3 21:40:10 UTC 2016


--- Comment #11 from clbuisson at orange.fr ---
There is nothing complicated in my setup !

1. An Internal network with "private" IPv4 addresses
2. A Gateway/Router/Firewall connected to this internal network, and to the
Internet (ADSL), and NATing the traffic betwwen 1 and 3
3. The Internet with any system, for exemple www.freebsd.org

On a system on the internal network, if I do

traceroute www.freebsd.org

I get

- first line: the internal address/name of the gateway (OK)
- a number of lines, one for each intermediate router on the Internet, but
labelled with the address/name of www.freebsd.org (!OK)
- last line: the address/name of www.freebsd.org (OK)

Details seem irrelevant (anyone can find the address of www/freebsd.org ..),
the effect of outgoing NAT on UDP or ICMP (in case of traceroute -I) is
known. It is clear that the bug is in the NAT of the ICMP TIME_EXCEEDED
from the Internet (invalid substitution of the address of the responding router
with address of the traceroute target).

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-pf mailing list