Project

General

Profile

Actions

Bug #3173

closed

NEGATE_ROUTE rule does not respect port numbers

Added by Phillip Davis over 10 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
High
Assignee:
Ermal Luçi
Category:
Rules / NAT
Target version:
Start date:
08/31/2013
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

See forum: http://forum.pfsense.org/index.php/topic,65886.0.html

If I add a rule on LAN to pass source all, destination all port 123 (NTP) then I get rules like this in /tmp/rules.debug:

pass in quick on $LAN1 inet proto tcp from any to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on $LAN1 $GWNTPGWG inet proto tcp from any to any port 123 flags S/SA keep state label "USER_RULE: Test NTP"

<negate_networks> has a correct list of the networks that are on/across OpenVPN.
The first rule here allows traffic for any port, when I think it should have "port 123" in it to restrict the pass to just port 123.
The "port" clause is generated in filter.inc filter_generate_address, along with the whole "destination" clause. So it is not necessarily trivial to extract the port clause right where the negate_networks rule is written. So I will leave it to Ermal (I suspect) to sort out what code solution he thinks is neatest.
Since this is a situation where the underlying pf rules can pass more traffic than the user intended, I have made this high priority for 2.1.

Actions

Also available in: Atom PDF