Date: Mon, 19 Mar 2007 10:03:42 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Kian Mohageri <kian.mohageri@gmail.com> Cc: freebsd-net@freebsd.org, Mark Andrews <Mark_Andrews@isc.org>, freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) Message-ID: <45FEC26E.40504@FreeBSD.org> In-Reply-To: <45FE39AE.4070407@gmail.com> References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com> <45FDD5C3.1070305@FreeBSD.org> <45FDF284.3040008@gmail.com> <45FE13E5.9060902@FreeBSD.org> <45FE39AE.4070407@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Kian Mohageri wrote:
> After re-reading your original idea, I think I understand a little
> better what you mean to do. For clarification, are you proposing that
> the [early] firewall scripts do nothing if firewall_late_enable=YES, and
> then have all firewalling taken care of later in the boot process (i.e.
> post-networking) by firewall_late?
>
> I think I might have misunderstood your original proposal:)
I think so too. :) To be clear, what I'm suggesting is that we move
ipfw and pf to a spot in the rcorder that is ahead of netif, along
with ipfilter which is already there. I am not suggesting that we
change their functionality, just the ordering. As a completely
separate thing (although they could be done at the same time) I am
suggesting _adding_ a new script for "late" firewall rules (where
"late" is defined as after netif) so that people who want to do
firewall-related things that require netif (like cloned interfaces,
FQDN rules, etc.) will have a standard way to accomplish that.
Thanks for the opportunity to clarify,
Doug
--
This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45FEC26E.40504>