Date: Mon, 19 Mar 2007 10:03:42 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Kian Mohageri <kian.mohageri@gmail.com> Cc: freebsd-net@freebsd.org, Mark Andrews <Mark_Andrews@isc.org>, freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) Message-ID: <45FEC26E.40504@FreeBSD.org> In-Reply-To: <45FE39AE.4070407@gmail.com> References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com> <45FDD5C3.1070305@FreeBSD.org> <45FDF284.3040008@gmail.com> <45FE13E5.9060902@FreeBSD.org> <45FE39AE.4070407@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Kian Mohageri wrote: > After re-reading your original idea, I think I understand a little > better what you mean to do. For clarification, are you proposing that > the [early] firewall scripts do nothing if firewall_late_enable=YES, and > then have all firewalling taken care of later in the boot process (i.e. > post-networking) by firewall_late? > > I think I might have misunderstood your original proposal:) I think so too. :) To be clear, what I'm suggesting is that we move ipfw and pf to a spot in the rcorder that is ahead of netif, along with ipfilter which is already there. I am not suggesting that we change their functionality, just the ordering. As a completely separate thing (although they could be done at the same time) I am suggesting _adding_ a new script for "late" firewall rules (where "late" is defined as after netif) so that people who want to do firewall-related things that require netif (like cloned interfaces, FQDN rules, etc.) will have a standard way to accomplish that. Thanks for the opportunity to clarify, Doug -- This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45FEC26E.40504>