Hey again,
I have been looking through the source-code of pf and wondering if this
might be an issue with all packets that pf initiates and sends by it self?
As far as I can tell pf uses the method "pf_send_tcp" to initiase
packages from itself, like the reset-packet used by "block return"-rules.
But routes like route-to/dub-to/reply-to seem only to be handle in
"pf_route" which is only used for the packets pf processes.
THE ISSUE:
The problem is "pf_send_tcp" does not really call "pf_route" at any time
so I guess routing is not handled at all for these packets?
Would we dear to call pf_route() somewhere in pf_send_tcp() to fix this
- could someone give me a hint on this?
I also discovered an unrelated issue, in the sourcecode of pf_route() I
see a comment saying "Copied from FreeBSD 5.1-CURRENT ip_output" - this
code seem quiet old, e.x. there are no support for IPSEC in the copied
code. Both outside the FreeBSD special case and ip_output in CURRENT
does additional checks for IPSEC - I am not using IPSEC myself, but we
might also have trouble routing IPSEC traffic until this copied code is
updated?
Hope someone can hint me on pf_send_tcp/pf_route.
Thanks,
Kristian
On 30-01-2010 05:11, Kristian Kræmmer Nielsen wrote:
Hey,
I am experiencing an issue using reply-to on block rules.
I am a "nice" firewall administrator and always uses "block return"
rules, thereby pf sends nice reset packets back to clients if they
attempt to connect to a port that pf is setup to block.
My setup is using a gif0 tunnel to tunnel specific traffic from
another public IP-address to the server. Since it is important that
packages are then to be routed back the same way and not using the
default-route, I use "pass in reply-to gif0"-rules and this worked
perfectly for all incoming traffic.
But, on my "block return in gif0 reply-to gif0" - pf seem to simply
ignore the reply-to parameter and instead decides to send the packs
back using the default route.
I see the packages go out on the wrong interface, in my case my
ethernet interface (em0), that is the default route for the server.
Could someone check to see if pf respects "reply-to" when sending
reset packages (block return)?
Or if that is not the case explain to me what "reply-to" is suppose to
do on "block"-rules?
Best regards,
Kristian Kræmmer Nielsen,
Odense, Denmark
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
