Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 06 Jun 2011 23:27:27 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-rc@freebsd.org
Subject:   pf starts before network_ipv6 ?
Message-ID:  <4DED544F.9020705@infracaninophile.co.uk>
next in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig1CCCBAEADB45CD049BF21DD4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable


Hmmm.... pf(4) is started before IPv6 addresses are configured on
interfaces.

lucid-nonsense:~:% rcorder /etc/rc.d/* | grep -A 3 '/pf$'
/etc/rc.d/pf
/etc/rc.d/ppp
/etc/rc.d/routing
/etc/rc.d/network_ipv6

I can see that starting pf before configuring routing is desirable, and
there is code in network_ipv6 that is routing dependent, but configuring
IPv6 addresses on interfaces during network_ipv6 and after pf has
started means /etc/pf.conf will frequently evaluate to a different set
of rules on boot than it will if pf.conf is reloaded during normal runtim=
e.

Eg. when pf starts, there's generally only a link-local IPv6 address
configured on the interface, so in pf rules like:

pass in on $ext_if proto tcp              \
     from any to $ext_if port ssh         \
     flags S/SA keep state                \
     (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)

the $ext_if in line 2 doesn't expand to include the usual routable IPv6
address of the interface, and the ssh bruteforce blocking function here
will be ineffectual.  This seems so obviously wrong to me, that I must
be missing something?

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enig1CCCBAEADB45CD049BF21DD4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3tVFcACgkQ8Mjk52CukIyIjACgiw1au1g6DAo5rhomlCTpPqXX
aUUAn347ngD/6QlD3xp7a0ZXqvH6R1dX
=/aw1
-----END PGP SIGNATURE-----

--------------enig1CCCBAEADB45CD049BF21DD4--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4DED544F.9020705>