[Bug 244514] "reply-to" function in pf breaks RFC 1122 section 3.3.1.1 Local/Remote Decision

Wed, 04 Mar 2020 10:07:23 -0800 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244514

p...@itassistans.se changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |p...@itassistans.se

--- Comment #8 from p...@itassistans.se ---
I agree with the earlier comment by Kristof Provost. This is not a FreeBSD bug.

pf is being told to route all reply packets back through a certain gateway, and
that is in fact what it's doing. If the way the administrator configures
FreeBSD violates an RFC, that's on the administrator. There are many ways to
configure firewall rules that go counter to what's written in an RFC, if that's
what you want to do.

It is also conversely possible to configure PF rules that do not cause this
behaviour, if that's what you want to do. If a project or system administrator
that uses pf generates pf rules that end up violating an RFC, it's on whoever's
or whatever writing the rules to write them differently.

In this case the firewall rule is working exactly as intended.

You might be able to argue that it would be useful for pf to have a feature
that would route packets down a certain interface, as opposed to specifically
through a specific gateway, but that would mean talking about introducing a new
feature, rather than changing behaviour of an old one. I think it might be a
good idea, but if you really want pf to do that, you can already do that by
writing rules that handle same-subnet traffic differently to cross-subnet
traffic, although it'd end up a bit messy.

Incidentally, I agree with ctminime's core problem description. The way
OPNsense and pfSense use this feature is bogus. But it has nothing to do with
FreeBSD or pf. It's doing what it's being told, and pf should not second guess
what the administrator is telling it to do. There may be good reasons to
configure your firewall in that way.

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

Reply via email to