From mohacsi@scone.ki.iif.hu  Wed Jun 13 10:44:57 2007
Return-Path: <mohacsi@scone.ki.iif.hu>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 6083B16A46B
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 13 Jun 2007 10:44:57 +0000 (UTC)
	(envelope-from mohacsi@scone.ki.iif.hu)
Received: from scone.ki.iif.hu (scone.ki.iif.hu [193.6.222.31])
	by mx1.freebsd.org (Postfix) with ESMTP id EB0F013C4BC
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 13 Jun 2007 10:44:56 +0000 (UTC)
	(envelope-from mohacsi@scone.ki.iif.hu)
Received: (from mohacsi@localhost)
	by scone.ki.iif.hu (8.14.1/8.14.1) id l5DAhLOV024723;
	Wed, 13 Jun 2007 12:43:21 +0200 (CEST)
	(envelope-from mohacsi)
Message-Id: <200706131043.l5DAhLOV024723@scone.ki.iif.hu>
Date: Wed, 13 Jun 2007 12:43:21 +0200 (CEST)
From: Janos Mohacsi <mohacsi@niif.hu>
Reply-To: Janos Mohacsi <janos.mohacsi@bsd.hu>
To: FreeBSD-gnats-submit@freebsd.org
Cc: freebsd-security@freebsd.org
Subject: pf does not use IPv6 interface addresses at startups
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         113650
>Category:       bin
>Synopsis:       pf does not use IPv6 interface addresses at startups
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-pf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 13 10:50:01 GMT 2007
>Closed-Date:    Wed Jun 13 11:44:49 GMT 2007
>Last-Modified:  Wed Jun 13 12:00:10 GMT 2007
>Originator:     Janos Mohacsi
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
NIIF/HUNGARNET
>Environment:
System: FreeBSD scone.ki.iif.hu 6.2-STABLE FreeBSD 6.2-STABLE #23: Wed May 9 18:23:24 CEST 2007 root@scone.ki.iif.hu:/usr/obj/usr/src/sys/SCONE i386

>Description:
	The pf firewall does not use the IPv6 addresses at startups. 
	If you start using pf firewall with IPv6 enabled the IPv6 addressess
	are not used:
	e.g. 
	in case of pf rule:
	pass out quick proto tcp from $ext_if to any keep state

	the real rule will be:
	pass out quick inet proto tcp from "IPv4_ADDRESS_OF_EXTERNAL_INTERFACE" to any keep state

	the IPv6 address of the external did not take into consideration since 
	IPv6 address not configured yet.
	

>How-To-Repeat:
	Try using interface names with ipv6 enabled in pf firewall.
>Fix:
	1.
	Start network_ipv6 before pf in /etc/rc.d.

mohacsi@mignon2> diff -ruN pf.orig pf
--- pf.orig     Wed Jun 13 12:43:30 2007
+++ pf  Wed Jun 13 12:43:53 2007
@@ -4,7 +4,7 @@
 #
 
 # PROVIDE: pf
-# REQUIRE: root FILESYSTEMS netif pflog pfsync
+# REQUIRE: root FILESYSTEMS netif pflog pfsync network_ipv6
 # BEFORE:  routing
 # KEYWORD: nojail

	2.
	However to protect services during boot I recommend adding pfboot in 
	/etc/rc.d.
	See /etc/rc.d/pfboot reference at NetBSD 
	http://cvsweb.netbsd.org/bsdweb.cgi/src/etc/rc.d/pf_boot
	and
	/etc/pf.boot.conf also at NetBSD
	http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.sbin/pf/etc/defaults/pf.boot.conf?rev=1.2&content-type=text/x-cvsweb-markup

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: remko 
Responsible-Changed-When: Wed Jun 13 11:14:43 UTC 2007 
Responsible-Changed-Why:  
reassign to PF team, note that the pfboot had been discussed a lot 
already and probably falls outside of the scope. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=113650 
State-Changed-From-To: open->closed 
State-Changed-By: mlaier 
State-Changed-When: Wed Jun 13 11:43:49 UTC 2007 
State-Changed-Why:  
Can be fixed otherwise.  Patch not a good idea in general - sorry. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=113650 

From: Max Laier <max@love2party.net>
To: bug-followup@freebsd.org,
 janos.mohacsi@bsd.hu
Cc:  
Subject: Re: bin/113650: pf does not use IPv6 interface addresses at startups
Date: Wed, 13 Jun 2007 13:43:51 +0200

 The better fix is to use the "(if0)"-syntax to pick up additional 
 addresses as they are configured.  Starting pf late(r) has the downside, 
 that unwanted traffic can sneak in during the early boot.
 
 -- 
   Max Laier
>Unformatted:
