From owner-freebsd-current@FreeBSD.ORG Thu Jun 25 17:45:36 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 285541065677 for ; Thu, 25 Jun 2009 17:45:36 +0000 (UTC) (envelope-from gelraen.ua@gmail.com) Received: from mail-px0-f191.google.com (mail-px0-f191.google.com [209.85.216.191]) by mx1.freebsd.org (Postfix) with ESMTP id F364B8FC1B for ; Thu, 25 Jun 2009 17:45:35 +0000 (UTC) (envelope-from gelraen.ua@gmail.com) Received: by mail-px0-f191.google.com with SMTP id 29so1175936pxi.3 for ; Thu, 25 Jun 2009 10:45:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:from:date:message-id :subject:to:content-type:content-transfer-encoding; bh=IPy4EAk3RGx6sVOoVRlWFTYdjPu1QRvcCE7NpKu8F/I=; b=fvwQ4yOlskNbvjTJRcEqupxXyApu9Jn31BxiHJ1PUEMTSbjVGIIqtNQTEFKDiApR15 0gXN6ffYGLGuSwBatfxKQCJxjDvuHK69Rgdf67VSlbjgqdou12Mbf0gS3lIg/Y32k/Ei RxlQ6/+mpVj+NpK3Qnb7WZEuEIOY1LQ852NS8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type :content-transfer-encoding; b=tP156qInOQedcXFPhu5/me46INJ3VE9NotuNtC/gP4+RM1h8k11yEXfwfcrhFh/CX3 y8QHosTXMEvEdHkHm5czE0qrtIfHrsPrBAvOnnmyGpy6PHKndCSj6Ho/FPvcdeWdgS71 T5Qrx4TvQS+EoWMeUjydOE99boRT40t5+CkwA= MIME-Version: 1.0 Received: by 10.220.100.194 with SMTP id z2mr2503886vcn.68.1245950051762; Thu, 25 Jun 2009 10:14:11 -0700 (PDT) From: Maxim Ignatenko Date: Thu, 25 Jun 2009 20:13:49 +0300 Message-ID: To: freebsd-current Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: /etc/rc.d/netif: "REQUIRE: ipfw pf" breaks NAT configuration X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Jun 2009 17:45:36 -0000 Hi, After r193198 my system can't start normally because ipfw nat, included in $firewall_script doesn't accept interface w/o IP address. So nat is included in ruleset, but not configured and don't passes any traffic at all. Such trick works for ipfilter because it has separate configuration of NAT and it may be started after main ruleset, when interfaces are configured. But for ipfw it requires manual configuration of two rulesets: main w/o nat and second - nat itself, as for pf - it's not possible at all, since ruleset can't be loaded partially. Regarding to commit entry for r193198, this was done to eliminate small window between rc.d/netif and loading firewall rules, but in default configuration at this small window firewall just drops any packets, so system is not vulnerable. I see two variants to resolve this issue: 1) learn ipfw nat and pf to accept interface w/o IP address and start actual work after interface get configured 2) revert back to old behavior, when firewall started after rc.d/netif