From owner-freebsd-questions  Fri Mar 30 21:10:11 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186])
	by hub.freebsd.org (Postfix) with SMTP id E939C37B71A
	for <questions@freebsd.org>; Fri, 30 Mar 2001 21:10:02 -0800 (PST)
	(envelope-from mwm@mired.org)
Received: (qmail 9651 invoked by uid 100); 31 Mar 2001 05:10:01 -0000
From: Mike Meyer <mwm@mired.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15045.26281.849318.648434@guru.mired.org>
Date: Fri, 30 Mar 2001 23:10:01 -0600
To: Peter Brezny <peter@black.purplecat.net>
Cc: questions@freebsd.org
Subject: Re: ipfw with fqdn instead of ip possible?
In-Reply-To: <78513393@toto.iv>
X-Mailer: VM 6.89 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG%
 *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Peter Brezny <peter@black.purplecat.net> types:
> To allow cable modem users access to a system, i'm trying to setup ipfw
> rules like this
> 
> ipfw add allow tcp from host.domain.com port to $oip port in via $oif
> keep-state
> 
> The problem i am having appears to be that named is starting after the
> firewall rules are loaded.  (sh /etc/rc.firewall-hostnames works after the
> system has sucessfully booted with a firewall in place that has no
> hostnames present).
> 
> is there a way to get the system to start named first?
> 
> I've placed the firewall startup info in /etc/rc.conf last, but the
> firewall rules are being run first.

How about moving /etc/rc.firewall-hostnames to
/usr/local/etc/rc.d/firewall-hostnames.sh, and making it executable?
You'll want to leave the parts of the firewall that aren't
hostname-dependent in the standard firewall startup so your system
will start properly, then enable the hostname-based holes after
everything is up and running.

BTW, you'll probably want to make that script able to reload all the
rules on the running system, as you'll still need to do that every
time a cable modem user looses their lease and then updates the dns.

	<mike
--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message