Bug #3173
closedNEGATE_ROUTE rule does not respect port numbers
100%
Description
See forum: http://forum.pfsense.org/index.php/topic,65886.0.html
If I add a rule on LAN to pass source all, destination all port 123 (NTP) then I get rules like this in /tmp/rules.debug:
pass in quick on $LAN1 inet proto tcp from any to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on $LAN1 $GWNTPGWG inet proto tcp from any to any port 123 flags S/SA keep state label "USER_RULE: Test NTP"
<negate_networks> has a correct list of the networks that are on/across OpenVPN.
The first rule here allows traffic for any port, when I think it should have "port 123" in it to restrict the pass to just port 123.
The "port" clause is generated in filter.inc filter_generate_address, along with the whole "destination" clause. So it is not necessarily trivial to extract the port clause right where the negate_networks rule is written. So I will leave it to Ermal (I suspect) to sort out what code solution he thinks is neatest.
Since this is a situation where the underlying pf rules can pass more traffic than the user intended, I have made this high priority for 2.1.
Updated by Ermal Luçi over 11 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 81d81b942b5a6e81b97d2d0b159ae2bdcb739bd4.
Updated by Ermal Luçi over 11 years ago
Applied in changeset 44f0f09bda6b59c0f2f08c87c4d4e32b149555bb.
Updated by Phillip Davis over 11 years ago
The change did not quite make the snapshot of 2.1-RC1 (i386)
built on Tue Sep 3 14:08:44 EDT 2013. I copied the /etc/inc/filter.inc manually and it works. The port spec appears in the negate rule.
Updated by Renato Botelho over 11 years ago
- Status changed from Feedback to Resolved