Date: Mon, 19 Mar 2007 00:20:14 -0700 From: Kian Mohageri <kian.mohageri@gmail.com> To: Doug Barton <dougb@FreeBSD.org> Cc: freebsd-net@freebsd.org, Mark Andrews <Mark_Andrews@isc.org>, freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) Message-ID: <45FE39AE.4070407@gmail.com> In-Reply-To: <45FE13E5.9060902@FreeBSD.org> References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com> <45FDD5C3.1070305@FreeBSD.org> <45FDF284.3040008@gmail.com> <45FE13E5.9060902@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Doug Barton wrote: > I believe (for whatever that's worth) that firewalls (and firewall > rules) _should_ be loaded prior to the interfaces coming up. If someone > wants to have dynamic rules, rules that rely on name resolution, or > rules for non-physical (e.g., cloned) interfaces, that's fine, but IMO > those are the exception, not the rule. Furthermore (and I'm betraying a > prejudice here) I think that firewall rules that rely on name resolution > are absolutely nuts, and I say that with many years of experience as a > professional DNS and system administrator. > Agreed. FQDNs in a ruleset is a pretty stupid idea. I guess I also agree with the reasoning that changing the common case as little as possible is good. > Therefore I believe strongly that the default behavior should be changed > to load all firewalls (and rules) before netif, and that those who want > to do firewall-related things that require netif or routing to be up > should be the ones who have to opt in to the new script. That said, I > think you and I have expressed our opinions pretty clearly on these > points, so I'd suggest that we let someone else have a turn. After re-reading your original idea, I think I understand a little better what you mean to do. For clarification, are you proposing that the [early] firewall scripts do nothing if firewall_late_enable=YES, and then have all firewalling taken care of later in the boot process (i.e. post-networking) by firewall_late? I think I might have misunderstood your original proposal:) -Kian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45FE39AE.4070407>