pf does not use IPv6 interface addresses at startups


Submitter-Id: current-users
Originator: Janos Mohacsi
Organization: NIIF/HUNGARNET
Confidential: no
Synopsis: pf does not use IPv6 interface addresses at startups
Severity: serious
Priority: low
Category: bin
Class: sw-bug
Release: FreeBSD 6.2-STABLE i386
Environment:
System: FreeBSD scone.ki.iif.hu 6.2-STABLE FreeBSD 6.2-STABLE #23: Wed May 9 18:23:24 CEST 2007 root@xxxxxxxxxxxxxxx:/usr/obj/usr/src/sys/SCONE i386

Description:
The pf firewall does not use the IPv6 addresses at startups.
If you start using pf firewall with IPv6 enabled the IPv6 addressess
are not used:
e.g.
in case of pf rule:
pass out quick proto tcp from $ext_if to any keep state

the real rule will be:
pass out quick inet proto tcp from "IPv4_ADDRESS_OF_EXTERNAL_INTERFACE" to any keep state

the IPv6 address of the external did not take into consideration since
IPv6 address not configured yet.


How-To-Repeat:
Try using interface names with ipv6 enabled in pf firewall.
Fix:
1.
Start network_ipv6 before pf in /etc/rc.d.

mohacsi@mignon2> diff -ruN pf.orig pf
--- pf.orig Wed Jun 13 12:43:30 2007
+++ pf Wed Jun 13 12:43:53 2007
@@ -4,7 +4,7 @@
#

# PROVIDE: pf
-# REQUIRE: root FILESYSTEMS netif pflog pfsync
+# REQUIRE: root FILESYSTEMS netif pflog pfsync network_ipv6
# BEFORE: routing
# KEYWORD: nojail

2.
However to protect services during boot I recommend adding pfboot in
/etc/rc.d.
See /etc/rc.d/pfboot reference at NetBSD
http://cvsweb.netbsd.org/bsdweb.cgi/src/etc/rc.d/pf_boot
and
/etc/pf.boot.conf also at NetBSD
http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.sbin/pf/etc/defaults/pf.boot.conf?rev=1.2&content-type=text/x-cvsweb-markup

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"