[Bug 281871] [pf] "match out on $ext_if proto tcp scrub (min-ttl 128)" modify incoming packets too

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 281871] [pf] "match out on $ext_if proto tcp scrub (min-ttl 128)" modify incoming packets too"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 05 Oct 2024 16:05:32 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281871

            Bug ID: 281871
           Summary: [pf] "match out on $ext_if proto tcp scrub (min-ttl
                    128)" modify incoming packets too
           Product: Base System
           Version: 14.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: vvd@FreeBSD.org

I have software gateway with FreeBSD 14.1-p5 amd64 with pf nat for hosts in
local net.

Steps for reproduce:
1. on gateway in /etc/pf.conf:
`match out on $ext_if proto tcp scrub (min-ttl 128)`
and
`nat on $ext_if from <local_nets> to any -> $ext_ip`
2. on gateway (where $IP is IP address of a host in the internet - for example
freebsd.org):
`tcpdump -nv -i$ext_if host $IP`
3. on host in local network:
`tcpdump -nv -i$if host $IP`
4. on host in local network:
`telnet $IP $PORT`
5. on gateway:
request:  `$ext_ip > $IP` with ttl 128,
response: `$IP > $ext_ip` with ttl 59
6. on host in local network:
request:  `$local_ip > $IP` with ttl 64,
response: `$IP > $local_ip` with ttl 127 - here must be 58

-- 
You are receiving this mail because:
You are the assignee for the bug.