Wrong order in rc.d (pf and ipv6)
Kevin Oberman
oberman at es.net
Sun Aug 26 20:51:11 PDT 2007
> Date: Sat, 25 Aug 2007 21:46:11 -0700 (PDT)
> From: Doug Barton <dougb at FreeBSD.org>
> Sender: owner-freebsd-net at freebsd.org
>
> On Thu, 23 Aug 2007, Henri Hennebert wrote:
>
> > Hello,
> >
> > I notice that after a reboot, my pf rules don't take the ipv6 address
> > (managed with ipv6_ifconfig_rl0="2001:...:1") into account.
> >
> > rcorder /etc/rc.d/* show that pf is started before network_ipv6, is it
> > normal?
>
> The consensus was that all firewalls should be started before all
> interfaces. That way a system will come up protected with no window of
> vulnerability.
That may be consensus, but IPv6 simply can't be run in most environments
if the end system can't communicate with NDP at startup time. The
situation is essentially the same as trying to start IPv4 with no
ARP. (And it is worse if the end system is going to auto-configure its
address.)
This is a bit of a security conundrum. It looks like a default hole in
the firewalls for the critical NDP and maybe RDP will be needed. In the
meantime I have had to set IPFIREWALL_DEFAULT_TO_ACCEPT for my systems
running IPv6.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 224 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20070827/124baf2a/attachment.pgp
More information about the freebsd-net
mailing list