pf does not use IPv6 interface addresses at startups
Janos Mohacsi
mohacsi at niif.hu
Wed Jun 13 11:08:45 UTC 2007
>Submitter-Id: current-users
>Originator: Janos Mohacsi
>Organization: NIIF/HUNGARNET
>Confidential: no
>Synopsis: pf does not use IPv6 interface addresses at startups
>Severity: serious
>Priority: low
>Category: bin
>Class: sw-bug
>Release: FreeBSD 6.2-STABLE i386
>Environment:
System: FreeBSD scone.ki.iif.hu 6.2-STABLE FreeBSD 6.2-STABLE #23: Wed May 9 18:23:24 CEST 2007 root at scone.ki.iif.hu:/usr/obj/usr/src/sys/SCONE i386
>Description:
The pf firewall does not use the IPv6 addresses at startups.
If you start using pf firewall with IPv6 enabled the IPv6 addressess
are not used:
e.g.
in case of pf rule:
pass out quick proto tcp from $ext_if to any keep state
the real rule will be:
pass out quick inet proto tcp from "IPv4_ADDRESS_OF_EXTERNAL_INTERFACE" to any keep state
the IPv6 address of the external did not take into consideration since
IPv6 address not configured yet.
>How-To-Repeat:
Try using interface names with ipv6 enabled in pf firewall.
>Fix:
1.
Start network_ipv6 before pf in /etc/rc.d.
mohacsi at mignon2> diff -ruN pf.orig pf
--- pf.orig Wed Jun 13 12:43:30 2007
+++ pf Wed Jun 13 12:43:53 2007
@@ -4,7 +4,7 @@
#
# PROVIDE: pf
-# REQUIRE: root FILESYSTEMS netif pflog pfsync
+# REQUIRE: root FILESYSTEMS netif pflog pfsync network_ipv6
# BEFORE: routing
# KEYWORD: nojail
2.
However to protect services during boot I recommend adding pfboot in
/etc/rc.d.
See /etc/rc.d/pfboot reference at NetBSD
http://cvsweb.netbsd.org/bsdweb.cgi/src/etc/rc.d/pf_boot
and
/etc/pf.boot.conf also at NetBSD
http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.sbin/pf/etc/defaults/pf.boot.conf?rev=1.2&content-type=text/x-cvsweb-markup
More information about the freebsd-security
mailing list