Date: Mon, 06 Jun 2011 23:27:27 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-rc@freebsd.org Subject: pf starts before network_ipv6 ? Message-ID: <4DED544F.9020705@infracaninophile.co.uk>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1CCCBAEADB45CD049BF21DD4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hmmm.... pf(4) is started before IPv6 addresses are configured on interfaces. lucid-nonsense:~:% rcorder /etc/rc.d/* | grep -A 3 '/pf$' /etc/rc.d/pf /etc/rc.d/ppp /etc/rc.d/routing /etc/rc.d/network_ipv6 I can see that starting pf before configuring routing is desirable, and there is code in network_ipv6 that is routing dependent, but configuring IPv6 addresses on interfaces during network_ipv6 and after pf has started means /etc/pf.conf will frequently evaluate to a different set of rules on boot than it will if pf.conf is reloaded during normal runtim= e. Eg. when pf starts, there's generally only a link-local IPv6 address configured on the interface, so in pf rules like: pass in on $ext_if proto tcp \ from any to $ext_if port ssh \ flags S/SA keep state \ (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global) the $ext_if in line 2 doesn't expand to include the usual routable IPv6 address of the interface, and the ssh bruteforce blocking function here will be ineffectual. This seems so obviously wrong to me, that I must be missing something? Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig1CCCBAEADB45CD049BF21DD4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3tVFcACgkQ8Mjk52CukIyIjACgiw1au1g6DAo5rhomlCTpPqXX aUUAn347ngD/6QlD3xp7a0ZXqvH6R1dX =/aw1 -----END PGP SIGNATURE----- --------------enig1CCCBAEADB45CD049BF21DD4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4DED544F.9020705>