From owner-freebsd-pf@FreeBSD.ORG Thu Sep 22 11:20:27 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D5E6E16A41F for ; Thu, 22 Sep 2005 11:20:27 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id A26A943D46 for ; Thu, 22 Sep 2005 11:20:23 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.3/8.13.3) with ESMTP id j8MBKH8g017419 for ; Thu, 22 Sep 2005 15:20:18 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.3/8.13.3/Submit) id j8MBKHJv017418 for freebsd-pf@freebsd.org; Thu, 22 Sep 2005 15:20:17 +0400 (MSD) (envelope-from yar) Date: Thu, 22 Sep 2005 15:20:17 +0400 From: Yar Tikhiy To: freebsd-pf@freebsd.org Message-ID: <20050922112017.GB16325@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.9i Subject: PF in /etc/rc.d: some issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Sep 2005 11:20:27 -0000 Hi there, I think we have a couple of issues regarding PF set-up during the system boot process. First, in the presence of vlan's or other dynamic interfaces it can be hard to ensure that pfsync0 will appear after its syncdev on the final list of interfaces built inside /etc/network.subr from several rc.conf variables and other sources. Consequently, pfsync0 won't get up because it is configured before its syncdev is up and running. IMHO, this problem can be addressed by creating a separate rcNG script for pfsync, which I already did in my systems using PF (see below.) Second, /etc/rc.d/pf script starts before DAEMON and LOGIN, which is too late IMHO. Can we make it start before "routing"? In an ideal world, a firewall should start before "netif", but I'm unsure if PF can start when not all interfaces mentioned in pf.conf are present in the system yet. -- Yar %%% #!/bin/sh # PROVIDE: pfsync # REQUIRE: root mountcritlocal netif # KEYWORD: nojail . /etc/rc.subr name="pfsync" rcvar=`set_rcvar` start_precmd="pfsync_prestart" start_cmd="pfsync_start" stop_cmd="pfsync_stop" load_rc_config "$name" pfsync_if=${pfsync_if:-"pfsync0"} pfsync_prestart() { case "$pfsync_syncdev" in '') warn "pfsync_syncdev is not set, nothing done" return 1 ;; esac return 0 } pfsync_start() { echo "Enabling pfsync." ifconfig "$pfsync_if" syncdev "$pfsync_syncdev" up } pfsync_stop() { echo "Disabling pfsync." ifconfig "$pfsync_if" -syncdev down } load_rc_config "$name" run_rc_command "$1"