From owner-freebsd-rc@FreeBSD.ORG Mon Jun 6 22:27:39 2011 Return-Path: Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8584D1065686 for ; Mon, 6 Jun 2011 22:27:39 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 0041B8FC08 for ; Mon, 6 Jun 2011 22:27:38 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id p56MRZsB002795 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Mon, 6 Jun 2011 23:27:35 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk p56MRZsB002795 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1307399255; bh=a6erByoQpTW/dfu89Ivl/wXWl5pgfPI7oGN8E9pHYmM=; h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type:Cc: Content-Type:Date:From:In-Reply-To:Message-ID:Mime-Version: References:To; z=Message-ID:=20<4DED544F.9020705@infracaninophile.co.uk>|Date:=20M on,=2006=20Jun=202011=2023:27:27=20+0100|From:=20Matthew=20Seaman= 20|User-Agent:=20Mozilla/5.0=20(M acintosh=3B=20U=3B=20Intel=20Mac=20OS=20X=2010.6=3B=20en-US=3B=20r v:1.9.2.17)=20Gecko/20110414=20Thunderbird/3.1.10|MIME-Version:=20 1.0|To:=20freebsd-rc@freebsd.org|Subject:=20pf=20starts=20before=2 0network_ipv6=20?|X-Enigmail-Version:=201.1.1|OpenPGP:=20id=3D60AE 908C|Content-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha1=3B=0D =0A=20protocol=3D"application/pgp-signature"=3B=0D=0A=20boundary=3 D"------------enig1CCCBAEADB45CD049BF21DD4"; b=rgh5ezaAw7nFC4Mcp8Ng7VTj1wDiZJiM9FqoyJxuQGTTP4vFGcuvt4r+VDcRgor5k dZlzaBj40pRNxjsLbT14Oh5x0MarNRYapULbYLvO216Xdlynj9B0GghqPCw9/dxr4u sAiZGzbMJkfpS7fPlIpTZhNlgXTpOtZ7nA7cpASQ= Message-ID: <4DED544F.9020705@infracaninophile.co.uk> Date: Mon, 06 Jun 2011 23:27:27 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 MIME-Version: 1.0 To: freebsd-rc@freebsd.org X-Enigmail-Version: 1.1.1 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig1CCCBAEADB45CD049BF21DD4" X-Virus-Scanned: clamav-milter 0.97 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_05,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Subject: pf starts before network_ipv6 ? X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jun 2011 22:27:39 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1CCCBAEADB45CD049BF21DD4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hmmm.... pf(4) is started before IPv6 addresses are configured on interfaces. lucid-nonsense:~:% rcorder /etc/rc.d/* | grep -A 3 '/pf$' /etc/rc.d/pf /etc/rc.d/ppp /etc/rc.d/routing /etc/rc.d/network_ipv6 I can see that starting pf before configuring routing is desirable, and there is code in network_ipv6 that is routing dependent, but configuring IPv6 addresses on interfaces during network_ipv6 and after pf has started means /etc/pf.conf will frequently evaluate to a different set of rules on boot than it will if pf.conf is reloaded during normal runtim= e. Eg. when pf starts, there's generally only a link-local IPv6 address configured on the interface, so in pf rules like: pass in on $ext_if proto tcp \ from any to $ext_if port ssh \ flags S/SA keep state \ (max-src-conn-rate 3/30, overload flush global) the $ext_if in line 2 doesn't expand to include the usual routable IPv6 address of the interface, and the ssh bruteforce blocking function here will be ineffectual. This seems so obviously wrong to me, that I must be missing something? Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig1CCCBAEADB45CD049BF21DD4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3tVFcACgkQ8Mjk52CukIyIjACgiw1au1g6DAo5rhomlCTpPqXX aUUAn347ngD/6QlD3xp7a0ZXqvH6R1dX =/aw1 -----END PGP SIGNATURE----- --------------enig1CCCBAEADB45CD049BF21DD4--