From owner-freebsd-net@FreeBSD.ORG Mon Aug 27 03:51:10 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5C2416A420; Mon, 27 Aug 2007 03:51:10 +0000 (UTC) (envelope-from SRS0=d1fe45abe319685a9442494ac1a0fc6804f994ad=439=es.net=oberman@es.net) Received: from postal1.es.net (postal4.es.net [IPv6:2001:400:6000:1::66]) by mx1.freebsd.org (Postfix) with ESMTP id 190BF13C46C; Mon, 27 Aug 2007 03:51:09 +0000 (UTC) (envelope-from SRS0=d1fe45abe319685a9442494ac1a0fc6804f994ad=439=es.net=oberman@es.net) Received: from ptavv.es.net (ptavv.es.net [198.128.4.29]) by postal4.es.net (Postal Node 4) with ESMTP (SSL) id GLA55804; Sun, 26 Aug 2007 20:51:04 -0700 Received: from ptavv.es.net (ptavv.es.net [127.0.0.1]) by ptavv.es.net (Tachyon Server) with ESMTP id 06A0F45048; Sun, 26 Aug 2007 20:51:03 -0700 (PDT) To: Doug Barton In-Reply-To: Your message of "Sat, 25 Aug 2007 21:46:11 PDT." Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1188186662_93527P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Sun, 26 Aug 2007 20:51:03 -0700 From: "Kevin Oberman" Message-Id: <20070827035103.06A0F45048@ptavv.es.net> Cc: Henri Hennebert , freebsd-net@freebsd.org Subject: Re: Wrong order in rc.d (pf and ipv6) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Aug 2007 03:51:11 -0000 --==_Exmh_1188186662_93527P Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > Date: Sat, 25 Aug 2007 21:46:11 -0700 (PDT) > From: Doug Barton > Sender: owner-freebsd-net@freebsd.org > > On Thu, 23 Aug 2007, Henri Hennebert wrote: > > > Hello, > > > > I notice that after a reboot, my pf rules don't take the ipv6 address > > (managed with ipv6_ifconfig_rl0="2001:...:1") into account. > > > > rcorder /etc/rc.d/* show that pf is started before network_ipv6, is it > > normal? > > The consensus was that all firewalls should be started before all > interfaces. That way a system will come up protected with no window of > vulnerability. That may be consensus, but IPv6 simply can't be run in most environments if the end system can't communicate with NDP at startup time. The situation is essentially the same as trying to start IPv4 with no ARP. (And it is worse if the end system is going to auto-configure its address.) This is a bit of a security conundrum. It looks like a default hole in the firewalls for the critical NDP and maybe RDP will be needed. In the meantime I have had to set IPFIREWALL_DEFAULT_TO_ACCEPT for my systems running IPv6. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 --==_Exmh_1188186662_93527P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: Exmh version 2.5 06/03/2002 iD8DBQFG0komkn3rs5h7N1ERAqKiAJ93xh4DNijdxdLtZMRd/r49Lw6BXQCfUS+n Frw6oXnN6SoFbgxmCY7Cs9k= =EfxE -----END PGP SIGNATURE----- --==_Exmh_1188186662_93527P--