Date: Sun, 26 Aug 2007 20:51:03 -0700 From: "Kevin Oberman" <oberman@es.net> To: Doug Barton <dougb@FreeBSD.org> Cc: Henri Hennebert <hlh@restart.be>, freebsd-net@freebsd.org Subject: Re: Wrong order in rc.d (pf and ipv6) Message-ID: <20070827035103.06A0F45048@ptavv.es.net> In-Reply-To: Your message of "Sat, 25 Aug 2007 21:46:11 PDT." <alpine.BSF.0.999.0708252144530.37977@qbhto.arg>
next in thread | previous in thread | raw e-mail | index | archive | help
--==_Exmh_1188186662_93527P Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > Date: Sat, 25 Aug 2007 21:46:11 -0700 (PDT) > From: Doug Barton <dougb@FreeBSD.org> > Sender: owner-freebsd-net@freebsd.org > > On Thu, 23 Aug 2007, Henri Hennebert wrote: > > > Hello, > > > > I notice that after a reboot, my pf rules don't take the ipv6 address > > (managed with ipv6_ifconfig_rl0="2001:...:1") into account. > > > > rcorder /etc/rc.d/* show that pf is started before network_ipv6, is it > > normal? > > The consensus was that all firewalls should be started before all > interfaces. That way a system will come up protected with no window of > vulnerability. That may be consensus, but IPv6 simply can't be run in most environments if the end system can't communicate with NDP at startup time. The situation is essentially the same as trying to start IPv4 with no ARP. (And it is worse if the end system is going to auto-configure its address.) This is a bit of a security conundrum. It looks like a default hole in the firewalls for the critical NDP and maybe RDP will be needed. In the meantime I have had to set IPFIREWALL_DEFAULT_TO_ACCEPT for my systems running IPv6. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 --==_Exmh_1188186662_93527P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: Exmh version 2.5 06/03/2002 iD8DBQFG0komkn3rs5h7N1ERAqKiAJ93xh4DNijdxdLtZMRd/r49Lw6BXQCfUS+n Frw6oXnN6SoFbgxmCY7Cs9k= =EfxE -----END PGP SIGNATURE----- --==_Exmh_1188186662_93527P--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070827035103.06A0F45048>