Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 13 Jun 2007 12:43:21 +0200 (CEST)
From:      Janos Mohacsi <mohacsi@niif.hu>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        freebsd-security@FreeBSD.org
Subject:   bin/113650: pf does not use IPv6 interface addresses at startups
Message-ID:  <200706131043.l5DAhLOV024723@scone.ki.iif.hu>
Resent-Message-ID: <200706131050.l5DAo2Ve062092@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         113650
>Category:       bin
>Synopsis:       pf does not use IPv6 interface addresses at startups
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 13 10:50:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Janos Mohacsi
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
NIIF/HUNGARNET
>Environment:
System: FreeBSD scone.ki.iif.hu 6.2-STABLE FreeBSD 6.2-STABLE #23: Wed May 9 18:23:24 CEST 2007 root@scone.ki.iif.hu:/usr/obj/usr/src/sys/SCONE i386

>Description:
	The pf firewall does not use the IPv6 addresses at startups. 
	If you start using pf firewall with IPv6 enabled the IPv6 addressess
	are not used:
	e.g. 
	in case of pf rule:
	pass out quick proto tcp from $ext_if to any keep state

	the real rule will be:
	pass out quick inet proto tcp from "IPv4_ADDRESS_OF_EXTERNAL_INTERFACE" to any keep state

	the IPv6 address of the external did not take into consideration since 
	IPv6 address not configured yet.
	

>How-To-Repeat:
	Try using interface names with ipv6 enabled in pf firewall.
>Fix:
	1.
	Start network_ipv6 before pf in /etc/rc.d.

mohacsi@mignon2> diff -ruN pf.orig pf
--- pf.orig     Wed Jun 13 12:43:30 2007
+++ pf  Wed Jun 13 12:43:53 2007
@@ -4,7 +4,7 @@
 #
 
 # PROVIDE: pf
-# REQUIRE: root FILESYSTEMS netif pflog pfsync
+# REQUIRE: root FILESYSTEMS netif pflog pfsync network_ipv6
 # BEFORE:  routing
 # KEYWORD: nojail

	2.
	However to protect services during boot I recommend adding pfboot in 
	/etc/rc.d.
	See /etc/rc.d/pfboot reference at NetBSD 
	http://cvsweb.netbsd.org/bsdweb.cgi/src/etc/rc.d/pf_boot
	and
	/etc/pf.boot.conf also at NetBSD
	http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.sbin/pf/etc/defaults/pf.boot.conf?rev=1.2&content-type=text/x-cvsweb-markup

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200706131043.l5DAhLOV024723>