Date: Sun, 18 Mar 2007 19:16:36 -0700 From: Kian Mohageri <kian.mohageri@gmail.com> To: Doug Barton <dougb@FreeBSD.org> Cc: freebsd-net@freebsd.org, Mark Andrews <Mark_Andrews@isc.org>, freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) Message-ID: <45FDF284.3040008@gmail.com> In-Reply-To: <45FDD5C3.1070305@FreeBSD.org> References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com> <45FDD5C3.1070305@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Doug Barton wrote: > That said, if the issues of needing to resolve hostnames and set up > rules for cloned interfaces are a universal problem (and it seems that > they are) then perhaps rather than customizing a solution for pf it > might be worthwhile to have a more generic "firewalls_late" script that > performs the appropriate actions regardless of what firewalls are > enabled. That way we could add just one rc.d script, and using the new > functionality would be opt-in. Off the top of my head I envision > something like: > > if [ checkyesno $firewall_enable -a -n "$firewall_rules_late" ]; then > # do stuff specific to ipfw > fi > if [ checkyesno $ipfilter_enable -a -n "$ipfilter_rules_late" ]; then > ... I agree VERY MUCH with this sort of approach. It would be a much cleaner solution than completely separate handling of all of these different problems. I'm trying to get an idea of what all of the major problems with the current order are, and these are the ones I'm aware of: - ipfw blocks by default (names unresolvable, rtsol breaks) - ipf/pf pass by default (services are unprotected) I think a firewall_boot script (similar to what you've proposed) could potentially solve all of these problems. If the user chose to enable it, it would do something like this: - load modules for pf/ipfw/ipf (whichever are enabled in rc.conf) - load firewall-specific minimal rulesets for enabled firewall(s) It would start BEFORE routing/netif, protecting services, but it would allow things like rtsol and name resolution to work. To elaborate a bit on your ideas, firewall_boot might do something like this: ... if [ checkyesno $firewall_enable -a -f $firewall_boot_script ]; # load ipfw and minimal ruleset if [ checkyesno $pf_enable -a -f $pf_boot_rules ]; # pf and minimal ruleset if [ checkyesno $ipfilter_enable -a -f $ipfilter_boot_rules ]; # ipfilter and minimal ruleset ... The tiny default boot rulesets would be in /etc/defaults/ and of course the user could override the location if they wanted to use their own early ruleset. The actual firewall scripts could then come up after the network, so cloned interfaces have been created, names can be resolved, etc. and the real rulesets should load without any problems. Does that sound reasonable? -Kian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45FDF284.3040008>