Date: Sun, 18 Mar 2007 17:13:55 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Kian Mohageri <kian.mohageri@gmail.com> Cc: freebsd-net@freebsd.org, Mark Andrews <Mark_Andrews@isc.org>, freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) Message-ID: <45FDD5C3.1070305@FreeBSD.org> In-Reply-To: <45FC90CE.3020605@gmail.com> References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Kian Mohageri wrote:
> I can't speak for ipfw, but removing the
> REQUIRE: netif for pf might break some setups where the ruleset
> references a cloned interface that netif creates. Correct me if I'm wrong?
>
> Loading a minimal ruleset initially (as OpenBSD and NetBSD do) would
> solve that problem, at least for pf. The idea has been discussed a few
> times before but I didn't see it go anywhere.
That's because no one who uses pf (and therefore cares sufficiently
about the issue) has stepped up to do the work. Q.E.D. I don't know pf
from a hole in the ground, and I'm not going to develop and commit a
fundamentally different way of doing things for it that I can't test,
and therefore will have no confidence that it's been done correctly.
That said, if the issues of needing to resolve hostnames and set up
rules for cloned interfaces are a universal problem (and it seems that
they are) then perhaps rather than customizing a solution for pf it
might be worthwhile to have a more generic "firewalls_late" script
that performs the appropriate actions regardless of what firewalls are
enabled. That way we could add just one rc.d script, and using the new
functionality would be opt-in. Off the top of my head I envision
something like:
if [ checkyesno $firewall_enable -a -n "$firewall_rules_late" ]; then
# do stuff specific to ipfw
fi
if [ checkyesno $ipfilter_enable -a -n "$ipfilter_rules_late" ]; then
...
Comments? That's something that I would feel comfortable developing
and committing, since it would be opt-in, and others more
knowledgeable than I could jump in and run with it for a while before
we considered MFC'ing it (if doing that would be appropriate at all,
and I'm not sure that it would be).
OTOH, perhaps if we just move everything (and therefore break things
in the manner you described) it will motivate someone to do the work.
:)
Doug
--
This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45FDD5C3.1070305>