Date: Fri, 26 Jun 2009 07:53:29 +0200 From: Ian FREISLICH <ianf@clue.co.za> To: Doug Barton <dougb@FreeBSD.org> Cc: current@freebsd.org Subject: Re: pfsync rc script breaks pfsync on cloned interfaces Message-ID: <E1MK4NN-000GGr-5f@clue.co.za> In-Reply-To: <4A444BC2.4010606@FreeBSD.org> References: <4A444BC2.4010606@FreeBSD.org> <E1MJoX9-000F3V-6z@clue.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Doug Barton wrote: > I have reverted the change that caused pf and ipfw to appear before > netif in the rcorder. While I still feel strongly that it is the > "right thing" to configure the firewalls first, the changes caused too > many problems for too many users, and it's too late in the release > cycle to make a change like this that has significant side effects. Then, what is required is the creation of (cloned) interfaces to be seperated from assigning them addresses. But even that is insufficient because pf.conf allows "interface:network" etc wich expands to the networks on an interface. Unlike ipfw which walks the ifnet structure to compare addresses, if at the time of firewall configuration, the interface has no address, then the rule will expand to have no address. > ipfw it's not quite as urgent since by default it does not pass > packets till it is configured. This is not the case with pf, as its > default is wide open until it is configured. I put it to you that users of pf know that it starts with default allow and changing this will result in a POLA violation. Ian -- Ian Freislich
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1MK4NN-000GGr-5f>