>Number: 145727
>Category: conf
>Synopsis: pf rules not applied on boot if using inet6 :network modifier
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Apr 15 16:30:04 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: James Raftery
>Release: FreeBSD 7.2-RELEASE-p7 i386
>Organization:
>Environment:
System: FreeBSD a.mx.now.ie 7.2-RELEASE-p7 FreeBSD 7.2-RELEASE-p7 #0: Fri Feb
26 19:51:57 UTC 2010
r...@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
>Description:
After reboot, no pf rules are applied if the :network interface
modifier is used in any inet6 rules. The net result is no firewall!
The following is logged to syslog:
Apr 10 17:23:11 a kernel: /etc/pf.conf:52:
Apr 10 17:23:11 a kernel: rule expands to no valid combination
Apr 10 17:23:11 a kernel:
Apr 10 17:23:11 a kernel: /etc/pf.conf:70:
Apr 10 17:23:11 a kernel: rule expands to no valid combination
Apr 10 17:23:11 a kernel:
Apr 10 17:23:11 a kernel: /etc/pf.conf:71:
Apr 10 17:23:11 a kernel: rule expands to no valid combination
Apr 10 17:23:11 a kernel:
Apr 10 17:23:11 a kernel: /etc/pf.conf:72:
Apr 10 17:23:11 a kernel: rule expands to no valid combination
Apr 10 17:23:11 a kernel:
Apr 10 17:23:11 a kernel: pfctl:
Apr 10 17:23:11 a kernel: Syntax error in config file: pf rules not
loaded
pf rules are applied before the IPv6 network config is applied, so pf
is unable to expand the :network modifier in the inet6 rule statements.
The relevant lines from pf.conf are:
52: pass in log on fxp0 inet6 proto tcp from fxp0:network to fxp0 port
ssh
70: pass in on fxp0 inet6 proto icmp6 from fxp0:network to fxp0
icmp6-type $ipv6_nbr_icmp
71: pass in on fxp0 inet6 proto icmp6 from fxp0:network to ff02::/8
icmp6-type $ipv6_nbr_icmp
72: pass in on fxp0 inet6 proto icmp6 from fe80::/10 to fxp0:network
icmp6-type $ipv6_nbr_icmp
>How-To-Repeat:
Add inet6 rule statements which include the :network modifier to
pf.conf. Ensure there are no active IPv6 addresses on the relevant
network interfaces. Run `/etc/rc.d/pf start' (with pf_enable=YES in
rc.conf).
>Fix:
Re-order rc start-up to apply the IPv6 network config. before pf
rules are applied. That's in theory, obviously. I don't have enough
knowledge of boot ordering to say with any confidence that there
won't be some nasty side-effects of such a change.
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
