Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 13 Jun 2007 12:43:21 +0200 (CEST)
From:      Janos Mohacsi <mohacsi@niif.hu>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        freebsd-security@FreeBSD.org
Subject:   pf does not use IPv6 interface addresses at startups
Message-ID:  <200706131043.l5DAhLOV024723@scone.ki.iif.hu>
next in thread | raw e-mail | index | archive | help 

>Submitter-Id:	current-users
>Originator:	Janos Mohacsi
>Organization:	NIIF/HUNGARNET
>Confidential:	no
>Synopsis:	pf does not use IPv6 interface addresses at startups
>Severity:	serious
>Priority:	low
>Category:	bin
>Class:		sw-bug
>Release:	FreeBSD 6.2-STABLE i386
>Environment:
System: FreeBSD scone.ki.iif.hu 6.2-STABLE FreeBSD 6.2-STABLE #23: Wed May 9 18:23:24 CEST 2007 root@scone.ki.iif.hu:/usr/obj/usr/src/sys/SCONE i386

>Description:
	The pf firewall does not use the IPv6 addresses at startups. 
	If you start using pf firewall with IPv6 enabled the IPv6 addressess
	are not used:
	e.g. 
	in case of pf rule:
	pass out quick proto tcp from $ext_if to any keep state

	the real rule will be:
	pass out quick inet proto tcp from "IPv4_ADDRESS_OF_EXTERNAL_INTERFACE" to any keep state

	the IPv6 address of the external did not take into consideration since 
	IPv6 address not configured yet.
	

>How-To-Repeat:
	Try using interface names with ipv6 enabled in pf firewall.
>Fix:
	1.
	Start network_ipv6 before pf in /etc/rc.d.

mohacsi@mignon2> diff -ruN pf.orig pf
--- pf.orig     Wed Jun 13 12:43:30 2007
+++ pf  Wed Jun 13 12:43:53 2007
@@ -4,7 +4,7 @@
 #
 
 # PROVIDE: pf
-# REQUIRE: root FILESYSTEMS netif pflog pfsync
+# REQUIRE: root FILESYSTEMS netif pflog pfsync network_ipv6
 # BEFORE:  routing
 # KEYWORD: nojail

	2.
	However to protect services during boot I recommend adding pfboot in 
	/etc/rc.d.
	See /etc/rc.d/pfboot reference at NetBSD 
	http://cvsweb.netbsd.org/bsdweb.cgi/src/etc/rc.d/pf_boot
	and
	/etc/pf.boot.conf also at NetBSD
	http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.sbin/pf/etc/defaults/pf.boot.conf?rev=1.2&content-type=text/x-cvsweb-markup

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200706131043.l5DAhLOV024723>