Date: Sun, 16 Jul 2006 23:28:33 +0300 From: Ari Suutari <ari@suutari.iki.fi> To: Andrew Thompson <thompsa@freebsd.org> Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? Message-ID: <44BAA171.8070302@suutari.iki.fi> In-Reply-To: <20060716202253.GF29207@heff.fud.org.nz> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <44BA8A95.10300@suutari.iki.fi> <20060716191732.GD3240@insomnia.benzedrine.cx> <44BA9ECA.6090607@suutari.iki.fi> <20060716202253.GF29207@heff.fud.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Andrew Thompson wrote: >> >> On FreeBSD 6.1, run rcorder /etc/rc.d/*. You'll notice that >> pf is run after netif so if one is using only pf as firewall, >> there is a window between run of "netif" and "pf" where network >> interfaces are up but there is no firewall loaded. Adding >> pf_boot, which runs before "netif" would fix this, woudn't it ? > > But.. pf runs before any userland daemons are loaded so how does it > matter if there is a short window between netif and pf if nothing is > listening? I wasn't thinking about firewall itself, but the network it protects. But now I notice that routing is run *after* pf so things should be ok ? Sorry to be such a pain but I have tried asking about this many times but got no good answers (and I got even more worried when I noticed that NetBSD had special boot-time ruleset). I guess this is case closed then! Ari S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44BAA171.8070302>