Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 6 Nov 2008 13:56:44 +0100
From:      Gert Doering <>
Subject:   rcorder pf vs. network_ipv6 on 6.3-RELEASE
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help

(bear with me, I'm normally not working on that part of the system, and
I'm normally not subscribed to this list - so if I violate any sort of
netiquette, I'm sorry for it).

I ran into a problem with one of our FreeBSD 6.3-RELEASE machines today,
and checking 7.0-RELEASE, the problem is similar over there.

The issue I have is that /etc/rc.d/pf is run *before* /etc/rc.d/network_ipv6
(because network_ipv6 demands so).


# REQUIRE: root FILESYSTEMS netif pflog pfsync
# BEFORE:  routing


# PROVIDE: network_ipv6
# REQUIRE: routing

The problem comes up if you have pf(4) IPv6 rules that tack to an interface,
as in:

  pass in on $ext_if proto tcp from any     to $ext_if port 443 keep state

if that rule is loaded *before* the interface gets configured, pf will
not re-sync afterwards, so the firewall rule is ignored.

It can be worked around by putting "to ($ext_if)" into the pf(4) rules,
but there might be circumstances where this is not desirable ("if the
address changes, this is exceptional circumstances and we want to know!"),
and the current boot order takes away the decision from the user how
to write his pf(4) rules.

I tried to change the PROVIDE/REQUIRE/BEFORE statements in "pf" and
"network_ipv6" to force execution of network_ipv6 before pf, but failed
(rcorder complains about circular dependencies and I can't see why).

So I'm handing this problem to you guys - please consider whether this
should be changed (execute all IP configuration before all firewall stuff),
and if yes, how to do it "right".


USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                   
fax: +49-89-35655025              

Want to link to this message? Use this URL: <>