Date: Thu, 25 Jun 2009 20:13:49 +0300 From: Maxim Ignatenko <gelraen.ua@gmail.com> To: freebsd-current <freebsd-current@freebsd.org> Subject: /etc/rc.d/netif: "REQUIRE: ipfw pf" breaks NAT configuration Message-ID: <ac42db050906251013l496f9e3fme750f89e355665a9@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, After r193198 my system can't start normally because ipfw nat, included in $firewall_script doesn't accept interface w/o IP address. So nat is included in ruleset, but not configured and don't passes any traffic at all. Such trick works for ipfilter because it has separate configuration of NAT and it may be started after main ruleset, when interfaces are configured. But for ipfw it requires manual configuration of two rulesets: main w/o nat and second - nat itself, as for pf - it's not possible at all, since ruleset can't be loaded partially. Regarding to commit entry for r193198, this was done to eliminate small window between rc.d/netif and loading firewall rules, but in default configuration at this small window firewall just drops any packets, so system is not vulnerable. I see two variants to resolve this issue: 1) learn ipfw nat and pf to accept interface w/o IP address and start actual work after interface get configured 2) revert back to old behavior, when firewall started after rc.d/netif
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ac42db050906251013l496f9e3fme750f89e355665a9>