From owner-freebsd-current@FreeBSD.ORG Fri Jun 26 14:56:30 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C3D531065672 for ; Fri, 26 Jun 2009 14:56:30 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with ESMTP id 5B0018FC1E for ; Fri, 26 Jun 2009 14:56:30 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 2695 invoked by uid 399); 26 Jun 2009 14:56:26 -0000 Received: from localhost (HELO foreign.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 26 Jun 2009 14:56:26 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4A44E198.3050004@FreeBSD.org> Date: Fri, 26 Jun 2009 07:56:24 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.22 (X11/20090625) MIME-Version: 1.0 To: Dimitry Andric References: <4A444BC2.4010606@FreeBSD.org> <200906261104.07597.max@love2party.net> <4A44B7DE.2090503@andric.com> In-Reply-To: <4A44B7DE.2090503@andric.com> X-Enigmail-Version: 0.95.7 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: Max Laier , freebsd-current@freebsd.org, freebsd-pf@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: pfsync rc script breaks pfsync on cloned interfaces X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jun 2009 14:56:31 -0000 Dimitry Andric wrote: > On 2009-06-26 11:04, Max Laier wrote: >> I would like input about how a very simple "save default" setup could look >> like. A ruleset for pf or ipfw that allows most of the boot process to >> complete without opening the host to the outside world, yet. For extra >> points this ruleset is aware of the rc.conf variables and adjusts >> accordingly (e.g. opening access to sshd iff it is configured). In >> addition there might be *one or two* configuration variables for the early >> stage to open additional ports or to select a default interface. However, >> the fewer the better. > > If you look at how OpenBSD implements their /etc/rc script, you will see > it first loads a simple PF ruleset, which allows ssh, dns, icmp echo and > (if applicable) IPv6 routing and neighbor advertisements. > > Then it does the regular network setup (/etc/netstart), followed by > loading the full PF rules. I think that would be a great approach, it's just waiting for someone familiar with pf to implement it. :) I also forgot to mention, there is no need to include me on future cc's for this topic. Regards, Doug -- This .signature sanitized for your protection