Date: Mon, 24 Jul 2006 11:32:36 +0200 From: Harald Muehlboeck <home@clef.at> To: "Simon L. Nielsen" <simon@nitro.dk> Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? Message-ID: <86wta3e4az.fsf@tuha.clef.at> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <20060717122127.GC1087@zaphod.nitro.dk>
index | next in thread | previous in thread | raw e-mail
Simon L. Nielsen <simon@nitro.dk> writes: > On 2006.07.16 20:23:15 +0200, Daniel Hartmeier wrote: > >> The "hole" being discussed is the time, during boot, before pf is fully >> functional with the production ruleset. For a comparatively long time, >> the pf module isn't even loaded yet. >> >> So, you first need to check the boot sequence for >> >> - interfaces being brought up before pf is loaded >> - addresses assigned to those interfaces >> - daemons starting and listening on those addresses >> - route table getting set up >> - IP forwarding getting enabled >> - etc. > > Since nobody else seems to have actually done this, I took a look at > FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really > see a hole. Most importantly pf is enabled before routing. > # rcorder -s nostart /etc/rc.d/* [...] > /etc/rc.d/ipfilter > [...] > /etc/rc.d/sysctl [...] > /etc/rc.d/pf > /etc/rc.d/routing > [...] But net.inet.ip.forwarding=1 can also be set in sysctl.conf(5), as well as many other options like bridging, ... (I don't know if it is usual to do so)home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86wta3e4az.fsf>