>Submitter-Id: current-users
>Originator: Janos Mohacsi
>Organization: NIIF/HUNGARNET
>Confidential: no
>Synopsis: pf does not use IPv6 interface addresses at startups
>Severity: serious
>Priority: low
>Category: bin
>Class: sw-bug
>Release: FreeBSD 6.2-STABLE i386
>Environment:
System: FreeBSD scone.ki.iif.hu 6.2-STABLE FreeBSD 6.2-STABLE #23: Wed May 9
18:23:24 CEST 2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/SCONE i386
>Description:
The pf firewall does not use the IPv6 addresses at startups.
If you start using pf firewall with IPv6 enabled the IPv6 addressess
are not used:
e.g.
in case of pf rule:
pass out quick proto tcp from $ext_if to any keep state
the real rule will be:
pass out quick inet proto tcp from "IPv4_ADDRESS_OF_EXTERNAL_INTERFACE"
to any keep state
the IPv6 address of the external did not take into consideration since
IPv6 address not configured yet.
>How-To-Repeat:
Try using interface names with ipv6 enabled in pf firewall.
>Fix:
1.
Start network_ipv6 before pf in /etc/rc.d.
[EMAIL PROTECTED]> diff -ruN pf.orig pf
--- pf.orig Wed Jun 13 12:43:30 2007
+++ pf Wed Jun 13 12:43:53 2007
@@ -4,7 +4,7 @@
#
# PROVIDE: pf
-# REQUIRE: root FILESYSTEMS netif pflog pfsync
+# REQUIRE: root FILESYSTEMS netif pflog pfsync network_ipv6
# BEFORE: routing
# KEYWORD: nojail
2.
However to protect services during boot I recommend adding pfboot in
/etc/rc.d.
See /etc/rc.d/pfboot reference at NetBSD
http://cvsweb.netbsd.org/bsdweb.cgi/src/etc/rc.d/pf_boot
and
/etc/pf.boot.conf also at NetBSD
http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.sbin/pf/etc/defaults/pf.boot.conf?rev=1.2&content-type=text/x-cvsweb-markup
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
