From owner-freebsd-current@FreeBSD.ORG  Fri Jun 26 04:17:11 2009
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 61D4E10656BA
	for <current@freebsd.org>; Fri, 26 Jun 2009 04:17:11 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4])
	by mx1.freebsd.org (Postfix) with ESMTP id EFE788FC18
	for <current@freebsd.org>; Fri, 26 Jun 2009 04:17:10 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: (qmail 2580 invoked by uid 399); 26 Jun 2009 04:17:10 -0000
Received: from localhost (HELO ?192.168.0.102?) (dougb@dougbarton.us@127.0.0.1)
	by localhost with ESMTPAM; 26 Jun 2009 04:17:10 -0000
X-Originating-IP: 127.0.0.1
X-Sender: dougb@dougbarton.us
Message-ID: <4A444BC2.4010606@FreeBSD.org>
Date: Thu, 25 Jun 2009 21:17:06 -0700
From: Doug Barton <dougb@FreeBSD.org>
Organization: http://www.FreeBSD.org/
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: Ian Freislich <ianf@clue.co.za>
References: <E1MJoX9-000F3V-6z@clue.co.za>
In-Reply-To: <E1MJoX9-000F3V-6z@clue.co.za>
X-Enigmail-Version: 0.95.7
OpenPGP: id=D5B2F0FB
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: current@freebsd.org
Subject: Re: pfsync rc script breaks pfsync on cloned interfaces
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2009 04:17:12 -0000

I have reverted the change that caused pf and ipfw to appear before
netif in the rcorder. While I still feel strongly that it is the
"right thing" to configure the firewalls first, the changes caused too
many problems for too many users, and it's too late in the release
cycle to make a change like this that has significant side effects.

I would like to strongly encourage those who use pf and ipfw to
consider doing the work required to make this change possible. With
ipfw it's not quite as urgent since by default it does not pass
packets till it is configured. This is not the case with pf, as its
default is wide open until it is configured.


Doug