Date: Fri, 26 Jun 2009 07:56:24 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Dimitry Andric <dimitry@andric.com> Cc: Max Laier <max@love2party.net>, freebsd-current@freebsd.org, freebsd-pf@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: pfsync rc script breaks pfsync on cloned interfaces Message-ID: <4A44E198.3050004@FreeBSD.org> In-Reply-To: <4A44B7DE.2090503@andric.com> References: <E1MJoX9-000F3V-6z@clue.co.za> <4A444BC2.4010606@FreeBSD.org> <200906261104.07597.max@love2party.net> <4A44B7DE.2090503@andric.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dimitry Andric wrote:
> On 2009-06-26 11:04, Max Laier wrote:
>> I would like input about how a very simple "save default" setup could look
>> like. A ruleset for pf or ipfw that allows most of the boot process to
>> complete without opening the host to the outside world, yet. For extra
>> points this ruleset is aware of the rc.conf variables and adjusts
>> accordingly (e.g. opening access to sshd iff it is configured). In
>> addition there might be *one or two* configuration variables for the early
>> stage to open additional ports or to select a default interface. However,
>> the fewer the better.
>
> If you look at how OpenBSD implements their /etc/rc script, you will see
> it first loads a simple PF ruleset, which allows ssh, dns, icmp echo and
> (if applicable) IPv6 routing and neighbor advertisements.
>
> Then it does the regular network setup (/etc/netstart), followed by
> loading the full PF rules.
I think that would be a great approach, it's just waiting for someone
familiar with pf to implement it. :)
I also forgot to mention, there is no need to include me on future
cc's for this topic.
Regards,
Doug
--
This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A44E198.3050004>