Date: Mon, 1 Jun 2009 08:20:02 +0200 From: Max Laier <max@love2party.net> To: Doug Barton <dougb@freebsd.org> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r193198 - head/etc/rc.d Message-ID: <200906010820.03864.max@love2party.net> In-Reply-To: <200906010535.n515Z4qK065272@svn.freebsd.org> References: <200906010535.n515Z4qK065272@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 01 June 2009 07:35:03 Doug Barton wrote: > Author: dougb > Date: Mon Jun 1 05:35:03 2009 > New Revision: 193198 > URL: http://svn.freebsd.org/changeset/base/193198 > > Log: > Make the pf and ipfw firewalls start before netif, just like ipfilter > already does. This eliminates a logical inconsistency, and a small > window where the system is open after the network comes up. Can you please add a note about this in UPDATING? It might be a slight POLA violation for people who rely on the interfaces being configured to setup the firewall. For instance when one doesn't use dynamic address rules in pf i.e. "from/to ifX" instead of "from/to (ifX)". > Modified: > head/etc/rc.d/ip6fw > head/etc/rc.d/ipfilter > head/etc/rc.d/ipfs > head/etc/rc.d/ipfw > head/etc/rc.d/ipnat > head/etc/rc.d/netif > head/etc/rc.d/network_ipv6 > head/etc/rc.d/pf > head/etc/rc.d/pflog > head/etc/rc.d/pfsync -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200906010820.03864.max>