From info@plot.uz  Wed Jun 13 11:45:37 2007
Return-Path: <info@plot.uz>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 79B7216A46B
	for <freebsd-gnats-submit@freebsd.org>; Wed, 13 Jun 2007 11:45:37 +0000 (UTC)
	(envelope-from info@plot.uz)
Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.231])
	by mx1.freebsd.org (Postfix) with ESMTP id 0D0E913C483
	for <freebsd-gnats-submit@freebsd.org>; Wed, 13 Jun 2007 11:45:36 +0000 (UTC)
	(envelope-from info@plot.uz)
Received: by wx-out-0506.google.com with SMTP id h28so140743wxd
        for <freebsd-gnats-submit@freebsd.org>; Wed, 13 Jun 2007 04:45:36 -0700 (PDT)
Received: by 10.70.57.8 with SMTP id f8mr851092wxa.1181733405179;
        Wed, 13 Jun 2007 04:16:45 -0700 (PDT)
Received: from plot.uz ( [83.221.181.165])
        by mx.google.com with ESMTP id h18sm767553wxd.2007.06.13.04.16.43
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Wed, 13 Jun 2007 04:16:45 -0700 (PDT)
Received: from localhost by plot.uz
	(MDaemon PRO v9.5.5)
	with DomainPOP id md50000003059.msg
	for <freebsd-gnats-submit@freebsd.org>; Wed, 13 Jun 2007 16:15:55 +0500
Received: by 10.100.122.5 with SMTP id u5cs76796anc;
        Wed, 13 Jun 2007 04:11:17 -0700 (PDT)
Received: by 10.114.135.1 with SMTP id i1mr517766wad.1181733077000;
        Wed, 13 Jun 2007 04:11:17 -0700 (PDT)
Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53])
        by mx.google.com with ESMTP id v35si1420099wah.2007.06.13.04.11.16;
        Wed, 13 Jun 2007 04:11:16 -0700 (PDT)
Received: from hub.freebsd.org (hub.freebsd.org [69.147.83.54])
	by mx2.freebsd.org (Postfix) with ESMTP id 88E055F3B2;
	Wed, 13 Jun 2007 11:08:52 +0000 (UTC)
	(envelope-from owner-freebsd-security@freebsd.org)
Received: from hub.freebsd.org (localhost [127.0.0.1])
	by hub.freebsd.org (Postfix) with ESMTP id 28ED616A4F1;
	Wed, 13 Jun 2007 11:08:52 +0000 (UTC)
	(envelope-from owner-freebsd-security@freebsd.org)
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 9725216A400
	for <freebsd-security@FreeBSD.org>;
	Wed, 13 Jun 2007 11:08:45 +0000 (UTC)
	(envelope-from mohacsi@scone.ki.iif.hu)
Received: from scone.ki.iif.hu (scone.ki.iif.hu [193.6.222.31])
	by mx1.freebsd.org (Postfix) with ESMTP id 2ED5A13C457
	for <freebsd-security@FreeBSD.org>;
	Wed, 13 Jun 2007 11:08:44 +0000 (UTC)
	(envelope-from mohacsi@scone.ki.iif.hu)
Received: (from mohacsi@localhost)
	by scone.ki.iif.hu (8.14.1/8.14.1) id l5DAhLOV024723;
	Wed, 13 Jun 2007 12:43:21 +0200 (CEST) (envelope-from mohacsi)
Message-Id: <200706131043.l5DAhLOV024723@scone.ki.iif.hu>
Date: Wed, 13 Jun 2007 12:43:21 +0200 (CEST)
From: Janos Mohacsi <info@plot.uz>
Reply-To: Janos Mohacsi <janos.mohacsi@bsd.hu>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc: freebsd-security@FreeBSD.org
Subject: pf does not use IPv6 interface addresses at startups
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         113654
>Category:       bin
>Synopsis:       pf does not use IPv6 interface addresses at startups
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 13 11:50:02 GMT 2007
>Closed-Date:    Wed Jun 13 12:07:41 GMT 2007
>Last-Modified:  Wed Jun 13 12:07:41 GMT 2007
>Originator:     Janos Mohacsi
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
NIIF/HUNGARNET
>Environment:
System: FreeBSD scone.ki.iif.hu 6.2-STABLE FreeBSD 6.2-STABLE #23: Wed May 9 18:23:24 CEST 2007 root@scone.ki.iif.hu:/usr/obj/usr/src/sys/SCONE i386

>Description:
	The pf firewall does not use the IPv6 addresses at startups. 
	If you start using pf firewall with IPv6 enabled the IPv6 addressess
	are not used:
	e.g. 
	in case of pf rule:
	pass out quick proto tcp from $ext_if to any keep state

	the real rule will be:
	pass out quick inet proto tcp from "IPv4_ADDRESS_OF_EXTERNAL_INTERFACE" to any keep state

	the IPv6 address of the external did not take into consideration since 
	IPv6 address not configured yet.
	

>How-To-Repeat:
	Try using interface names with ipv6 enabled in pf firewall.
>Fix:
	1.
	Start network_ipv6 before pf in /etc/rc.d.

mohacsi@mignon2> diff -ruN pf.orig pf
--- pf.orig     Wed Jun 13 12:43:30 2007
+++ pf  Wed Jun 13 12:43:53 2007
@@ -4,7 +4,7 @@
 #
 
 # PROVIDE: pf
-# REQUIRE: root FILESYSTEMS netif pflog pfsync
+# REQUIRE: root FILESYSTEMS netif pflog pfsync network_ipv6
 # BEFORE:  routing
 # KEYWORD: nojail

	2.
	However to protect services during boot I recommend adding pfboot in 
	/etc/rc.d.
	See /etc/rc.d/pfboot reference at NetBSD 
	http://cvsweb.netbsd.org/bsdweb.cgi/src/etc/rc.d/pf_boot
	and
	/etc/pf.boot.conf also at NetBSD
	http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.sbin/pf/etc/defaults/pf.boot.conf?rev=1.2&content-type=text/x-cvsweb-markup

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: remko 
State-Changed-When: Wed Jun 13 12:07:39 UTC 2007 
State-Changed-Why:  
Duplicate of 113650. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=113654 
>Unformatted:
