Date: Wed, 31 Dec 2008 05:20:05 GMT From: Bruce Cran <bruce@cran.org.uk> To: freebsd-rc@FreeBSD.org Subject: Re: conf/96343: [patch] rc.d order change to start inet6 before pf Message-ID: <200812310520.mBV5K5R3015454@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR conf/96343; it has been noted by GNATS. From: Bruce Cran <bruce@cran.org.uk> To: bug-followup@FreeBSD.org, michael@gargantuan.com Cc: Subject: Re: conf/96343: [patch] rc.d order change to start inet6 before pf Date: Wed, 31 Dec 2008 05:19:04 +0000 [http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/96343] Ideally the firewall should be started before any interfaces become active to avoid the possibility for an attacker to get in between the interface being active and the firewall being turned on; on 8-CURRENT the startup procedure has been changed so that this is the case. It should be possible to make pf work by for example changing pass ... on re0 from any to re0 ... to pass ... on re0 from any to (re0) ... With the second line, pf now doesn't require re0 to have an IP address in order to load the firewall rules. -- Bruce Cran
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200812310520.mBV5K5R3015454>