From owner-freebsd-net@FreeBSD.ORG Sat Mar 17 23:50:11 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4789016A402 for ; Sat, 17 Mar 2007 23:50:11 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx24.fluidhosting.com [204.14.89.7]) by mx1.freebsd.org (Postfix) with SMTP id EA11013C4CC for ; Sat, 17 Mar 2007 23:50:10 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 8101 invoked by uid 399); 17 Mar 2007 23:50:09 -0000 Received: from localhost (HELO ?192.168.0.4?) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 17 Mar 2007 23:50:09 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <45FC7EAE.803@FreeBSD.org> Date: Sat, 17 Mar 2007 16:50:06 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (Windows/20070116) MIME-Version: 1.0 To: Mark Andrews References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> In-Reply-To: <200703171210.l2HCAD63046801@drugs.dv.isc.org> Content-Type: multipart/mixed; boundary="------------090805060704060603060007" Cc: freebsd-net@freebsd.org, freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Mar 2007 23:50:11 -0000 This is a multi-part message in MIME format. --------------090805060704060603060007 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit [ Re-locating this thread from -stable. ] Mark Andrews wrote: >> On Saturday 17 March 2007 03:58, Mark Andrews wrote: >> >>>>> nothing goes to this machine because by default everything is blocked >>>>> until >>>>> >>>>> you permit it >>>> You're absolutely correct, however your original post seems to have >>>> taken many of us by surprise, causing some of us (at least me!) to >>>> assume that you've changed the default method to allow. I'm obviously >>>> misunderstanding, so I apologise for that, but I hope you can see the >>>> reasoning behind my comments with what I knew at the time. :) >>> ipfw needs to be before networking or router discovery >>> fails for IPv6. >>> >>> http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/108589 >>> >> >> as default any network connection will fail so long as you do not permit it >> >> If rtsol fails or is called to early it is an rtsol problem and not an ipfw >> problem I guess >> >> named and ipfw before netif? > > ip6fw is before networking. ipfw is supposed to be taking > over from ip6fw. ipfw and ip6wf should be started at a > similar time. > > rtsol is approximately the equivalent to DHCP. The machine is > requesting a address from the network. It doesn't matter if > it is a router or a DHCP server that is suppling the address. > > DHCP only works because it bypasses the firefall. Mark, Currently the order (with some non-networking items removed) is: /etc/rc.d/ipfilter /etc/rc.d/ipnat /etc/rc.d/ipfs /etc/rc.d/sppp /etc/rc.d/auto_linklocal /etc/rc.d/pccard /etc/rc.d/netif /etc/rc.d/ip6addrctl /etc/rc.d/atm2 /etc/rc.d/pfsync /etc/rc.d/pflog /etc/rc.d/pf /etc/rc.d/isdnd /etc/rc.d/ppp /etc/rc.d/routing /etc/rc.d/ip6fw /etc/rc.d/network_ipv6 /etc/rc.d/ipsec /etc/rc.d/ipfw /etc/rc.d/nsswitch /etc/rc.d/mroute6d /etc/rc.d/route6d /etc/rc.d/mrouted /etc/rc.d/routed /etc/rc.d/NETWORKING ipfilter starts very early in the "late" section of rcorder, it requires mountcritlocal (the default early_late_divider) and has a BEFORE: netif. Currently ip6fw actually starts after routing (and therefore after netif). Before we move it I think someone who knows more about how rtsol works than I do should comment. AFAICT, network_ipv6 is going to need routing up. If ip6fw's functionality is going to be subsumed into ipfw, then changing ipfw to run before netif now, and nuking ip6fw later is probably sufficient. If it's reasonable to conclude that we want all the firewalls to start before netif, I see two ways to accomplish that. One would be to have netif REQUIRE ipfilter, pf, and ipfw. In some ways I think this is cleaner, but netif already has a pretty long REQUIRE line. The other way would be to add a new FIREWALLS placeholder for the REQUIREs I'm suggesting above, and then have netif REQUIRE that. If on the other hand, there is some reason NOT to start all the firewalls before netif, then things get more complicated. :) The attached patch changes the rcorder to the following: /etc/rc.d/sppp /etc/rc.d/ipfw /etc/rc.d/pfsync /etc/rc.d/pflog /etc/rc.d/pf /etc/rc.d/ipfilter /etc/rc.d/ipnat /etc/rc.d/ipfs /etc/rc.d/auto_linklocal /etc/rc.d/serial /etc/rc.d/netif /etc/rc.d/ip6addrctl /etc/rc.d/atm2 /etc/rc.d/isdnd /etc/rc.d/ppp /etc/rc.d/routing /etc/rc.d/ip6fw /etc/rc.d/network_ipv6 /etc/rc.d/ipsec /etc/rc.d/nsswitch /etc/rc.d/mroute6d /etc/rc.d/route6d /etc/rc.d/mrouted /etc/rc.d/routed /etc/rc.d/NETWORKING Thoughts? Doug -- This .signature sanitized for your protection --------------090805060704060603060007 Content-Type: text/plain; name="rc-firewalls.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="rc-firewalls.diff" Index: ip6fw =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/ip6fw,v retrieving revision 1.8 diff -u -r1.8 ip6fw --- ip6fw 31 Dec 2006 10:37:18 -0000 1.8 +++ ip6fw 17 Mar 2007 21:28:18 -0000 @@ -5,7 +5,6 @@ # PROVIDE: ip6fw # REQUIRE: routing -# BEFORE: network_ipv6 # KEYWORD: nojail . /etc/rc.subr Index: ipfilter =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/ipfilter,v retrieving revision 1.26 diff -u -r1.26 ipfilter --- ipfilter 31 Dec 2006 10:37:18 -0000 1.26 +++ ipfilter 17 Mar 2007 21:15:21 -0000 @@ -6,7 +6,6 @@ # PROVIDE: ipfilter # REQUIRE: root mountcritlocal -# BEFORE: netif # KEYWORD: nojail . /etc/rc.subr Index: ipfs =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/ipfs,v retrieving revision 1.6 diff -u -r1.6 ipfs --- ipfs 7 Oct 2004 13:55:26 -0000 1.6 +++ ipfs 17 Mar 2007 21:15:43 -0000 @@ -6,7 +6,6 @@ # PROVIDE: ipfs # REQUIRE: ipnat -# BEFORE: netif # KEYWORD: nojail shutdown . /etc/rc.subr Index: ipfw =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/ipfw,v retrieving revision 1.14 diff -u -r1.14 ipfw --- ipfw 31 Dec 2006 10:37:18 -0000 1.14 +++ ipfw 17 Mar 2007 21:31:21 -0000 @@ -4,8 +4,7 @@ # # PROVIDE: ipfw -# REQUIRE: ppp -# BEFORE: NETWORKING +# REQUIRE: root mountcritlocal # KEYWORD: nojail . /etc/rc.subr Index: ipnat =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/ipnat,v retrieving revision 1.15 diff -u -r1.15 ipnat --- ipnat 31 Dec 2006 10:37:18 -0000 1.15 +++ ipnat 17 Mar 2007 21:15:29 -0000 @@ -6,7 +6,6 @@ # PROVIDE: ipnat # REQUIRE: ipfilter -# BEFORE: DAEMON netif # KEYWORD: nojail . /etc/rc.subr Index: netif =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/netif,v retrieving revision 1.22 diff -u -r1.22 netif --- netif 9 Feb 2007 12:11:26 -0000 1.22 +++ netif 17 Mar 2007 23:04:21 -0000 @@ -26,7 +26,8 @@ # # PROVIDE: netif -# REQUIRE: atm1 ipfilter mountcritlocal serial sppp sysctl +# REQUIRE: atm1 mountcritlocal serial sppp sysctl +# REQUIRE: ipfilter ipfs pf ipfw # KEYWORD: nojail . /etc/rc.subr Index: network_ipv6 =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/network_ipv6,v retrieving revision 1.37 diff -u -r1.37 network_ipv6 --- network_ipv6 7 Oct 2004 13:55:26 -0000 1.37 +++ network_ipv6 17 Mar 2007 21:20:18 -0000 @@ -29,7 +29,7 @@ # # PROVIDE: network_ipv6 -# REQUIRE: routing +# REQUIRE: routing ip6fw # KEYWORD: nojail . /etc/rc.subr Index: pf =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/pf,v retrieving revision 1.14 diff -u -r1.14 pf --- pf 31 Dec 2006 10:37:18 -0000 1.14 +++ pf 17 Mar 2007 21:18:13 -0000 @@ -4,8 +4,7 @@ # # PROVIDE: pf -# REQUIRE: root mountcritlocal netif pflog pfsync -# BEFORE: routing +# REQUIRE: root mountcritlocal pflog pfsync # KEYWORD: nojail . /etc/rc.subr Index: pflog =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/pflog,v retrieving revision 1.10 diff -u -r1.10 pflog --- pflog 31 Dec 2006 10:37:18 -0000 1.10 +++ pflog 17 Mar 2007 21:18:21 -0000 @@ -4,7 +4,7 @@ # # PROVIDE: pflog -# REQUIRE: root mountcritlocal netif cleanvar +# REQUIRE: root mountcritlocal cleanvar # KEYWORD: nojail . /etc/rc.subr Index: pfsync =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/pfsync,v retrieving revision 1.2 diff -u -r1.2 pfsync --- pfsync 31 Dec 2006 10:37:18 -0000 1.2 +++ pfsync 17 Mar 2007 21:18:33 -0000 @@ -4,7 +4,7 @@ # # PROVIDE: pfsync -# REQUIRE: root mountcritlocal netif +# REQUIRE: root mountcritlocal # KEYWORD: nojail . /etc/rc.subr --------------090805060704060603060007--