bin/113650: pf does not use IPv6 interface addresses at startups
Janos Mohacsi
mohacsi at niif.hu
Wed Jun 13 10:50:03 UTC 2007
>Number: 113650
>Category: bin
>Synopsis: pf does not use IPv6 interface addresses at startups
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jun 13 10:50:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Janos Mohacsi
>Release: FreeBSD 6.2-STABLE i386
>Organization:
NIIF/HUNGARNET
>Environment:
System: FreeBSD scone.ki.iif.hu 6.2-STABLE FreeBSD 6.2-STABLE #23: Wed May 9 18:23:24 CEST 2007 root at scone.ki.iif.hu:/usr/obj/usr/src/sys/SCONE i386
>Description:
The pf firewall does not use the IPv6 addresses at startups.
If you start using pf firewall with IPv6 enabled the IPv6 addressess
are not used:
e.g.
in case of pf rule:
pass out quick proto tcp from $ext_if to any keep state
the real rule will be:
pass out quick inet proto tcp from "IPv4_ADDRESS_OF_EXTERNAL_INTERFACE" to any keep state
the IPv6 address of the external did not take into consideration since
IPv6 address not configured yet.
>How-To-Repeat:
Try using interface names with ipv6 enabled in pf firewall.
>Fix:
1.
Start network_ipv6 before pf in /etc/rc.d.
mohacsi at mignon2> diff -ruN pf.orig pf
--- pf.orig Wed Jun 13 12:43:30 2007
+++ pf Wed Jun 13 12:43:53 2007
@@ -4,7 +4,7 @@
#
# PROVIDE: pf
-# REQUIRE: root FILESYSTEMS netif pflog pfsync
+# REQUIRE: root FILESYSTEMS netif pflog pfsync network_ipv6
# BEFORE: routing
# KEYWORD: nojail
2.
However to protect services during boot I recommend adding pfboot in
/etc/rc.d.
See /etc/rc.d/pfboot reference at NetBSD
http://cvsweb.netbsd.org/bsdweb.cgi/src/etc/rc.d/pf_boot
and
/etc/pf.boot.conf also at NetBSD
http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.sbin/pf/etc/defaults/pf.boot.conf?rev=1.2&content-type=text/x-cvsweb-markup
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list