Date: Thu, 22 Sep 2005 14:12:52 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: PF in /etc/rc.d: some issues Message-ID: <200509221413.03576.max@love2party.net> In-Reply-To: <20050922112017.GB16325@comp.chem.msu.su> References: <20050922112017.GB16325@comp.chem.msu.su>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart3297214.txTQd2FXKA Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 22 September 2005 13:20, Yar Tikhiy wrote: > Hi there, > > I think we have a couple of issues regarding PF set-up during the > system boot process. I'm pretty sure we do - unfortunately. > First, in the presence of vlan's or other dynamic interfaces it can > be hard to ensure that pfsync0 will appear after its syncdev on the > final list of interfaces built inside /etc/network.subr from several > rc.conf variables and other sources. Consequently, pfsync0 won't > get up because it is configured before its syncdev is up and running. > IMHO, this problem can be addressed by creating a separate rcNG script > for pfsync, which I already did in my systems using PF (see below.) Sounds reasonable, but put at least an additional $pfsync_ifconfig_flags at= =20 the end of the ifconfig so that people can specify maxupd. pfsync.4 needs = to=20 be updated for this as well. > Second, /etc/rc.d/pf script starts before DAEMON and LOGIN, which > is too late IMHO. Can we make it start before "routing"? In an > ideal world, a firewall should start before "netif", but I'm unsure > if PF can start when not all interfaces mentioned in pf.conf are > present in the system yet. The only remaining problem (that I know of) is "set loginterface" on a=20 non-existing interface. Everything else should be taken care of by now. =20 This late startup was in fact a bandaid to get things working back then, bu= t=20 the problems have been shaken out and now that "set loginterface" is more o= r=20 less obsolete by $pfctl -vsI -i <interface> anyway, we could move it back t= o=20 where it belongs. I'd like to keep that change in HEAD for the time being,= =20 however. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3297214.txTQd2FXKA Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDMp/PXyyEoT62BG0RAs+6AJ9qbMF5eiz1Sgn/phf+IUF4ocPdRQCfeaAL SEDJaEuI1+SUzUKDi7ACQLw= =KKZJ -----END PGP SIGNATURE----- --nextPart3297214.txTQd2FXKA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200509221413.03576.max>