Date: Mon, 06 Jun 2011 23:27:27 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-rc@freebsd.org Subject: pf starts before network_ipv6 ? Message-ID: <4DED544F.9020705@infracaninophile.co.uk>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hmmm.... pf(4) is started before IPv6 addresses are configured on
interfaces.
lucid-nonsense:~:% rcorder /etc/rc.d/* | grep -A 3 '/pf$'
/etc/rc.d/pf
/etc/rc.d/ppp
/etc/rc.d/routing
/etc/rc.d/network_ipv6
I can see that starting pf before configuring routing is desirable, and
there is code in network_ipv6 that is routing dependent, but configuring
IPv6 addresses on interfaces during network_ipv6 and after pf has
started means /etc/pf.conf will frequently evaluate to a different set
of rules on boot than it will if pf.conf is reloaded during normal runtime.
Eg. when pf starts, there's generally only a link-local IPv6 address
configured on the interface, so in pf rules like:
pass in on $ext_if proto tcp \
from any to $ext_if port ssh \
flags S/SA keep state \
(max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
the $ext_if in line 2 doesn't expand to include the usual routable IPv6
address of the interface, and the ssh bruteforce blocking function here
will be ineffectual. This seems so obviously wrong to me, that I must
be missing something?
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3tVFcACgkQ8Mjk52CukIyIjACgiw1au1g6DAo5rhomlCTpPqXX
aUUAn347ngD/6QlD3xp7a0ZXqvH6R1dX
=/aw1
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4DED544F.9020705>