rc.order wrong (ipfw)
Kian Mohageri
kian.mohageri at gmail.com
Sun Mar 18 01:31:48 UTC 2007
Doug Barton wrote:
>
> If it's reasonable to conclude that we want all the firewalls to start
> before netif, I see two ways to accomplish that. One would be to have
> netif REQUIRE ipfilter, pf, and ipfw. In some ways I think this is
> cleaner, but netif already has a pretty long REQUIRE line. The other
> way would be to add a new FIREWALLS placeholder for the REQUIREs I'm
> suggesting above, and then have netif REQUIRE that.
>
> If on the other hand, there is some reason NOT to start all the
> firewalls before netif, then things get more complicated. :)
>
>
I definitely think that firewalls should be started as early as
possible, for obvious reasons. I can't speak for ipfw, but removing the
REQUIRE: netif for pf might break some setups where the ruleset
references a cloned interface that netif creates. Correct me if I'm wrong?
Loading a minimal ruleset initially (as OpenBSD and NetBSD do) would
solve that problem, at least for pf. The idea has been discussed a few
times before but I didn't see it go anywhere.
http://lists.freebsd.org/pipermail/freebsd-pf/2007-February/003041.html
I'd love to see the rcorder for the firewalls get worked out! :)
Kian
More information about the freebsd-net
mailing list