From owner-freebsd-security Fri Dec 10 14:54: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc2.on.home.com (ha1.rdc2.on.home.com [24.9.0.15]) by hub.freebsd.org (Postfix) with ESMTP id 49EC41537D for ; Fri, 10 Dec 1999 14:54:07 -0800 (PST) (envelope-from street@iname.com) Received: from mired.eh.local ([24.64.136.188]) by mail.rdc2.on.home.com (InterMail v4.01.01.07 201-229-111-110) with ESMTP id <19991210225406.MXJD9271.mail.rdc2.on.home.com@mired.eh.local>; Fri, 10 Dec 1999 14:54:06 -0800 Received: (from kws@localhost) by mired.eh.local (8.9.3/8.9.3) id RAA29486; Fri, 10 Dec 1999 17:54:06 -0500 (EST) (envelope-from kws) From: Kevin Street MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14417.33934.245121.600826@mired.eh.local> Date: Fri, 10 Dec 1999 17:54:06 -0500 (EST) To: Brendan Conoboy Cc: freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall, ipf integration In-Reply-To: <199912102133.OAA17684@inago.swcp.com> References: <199912102133.OAA17684@inago.swcp.com> X-Mailer: VM 6.71 under 21.1 (patch 7) "Biscayne" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brendan Conoboy writes: >So I'm sending this mail out to ask how people would like it improved. >I'm willing to do pretty much all of the work, particularly to get ipf >integrated. What do people think needs to happen? Brendan, for client machines, better integration with DHCP would be a worthwhile goal. The firewall setup needs to be called from the dhclient scripts since dhclient knows what the ip address is and gets notified of any changes (lease expiry, ip addr changes). Having an rc.firewall that can be called whenever the state changes would be useful. Having the boot up of dhcp and rc.firewall happen in the right order and leave the firewall configured correctly is mandatory. Right now, my dhcp startup sets up the firewall and then rc.network promptly flushes it. I've got mine set up so that rc.firewall discovers what ip address dhcp managed to get and re-establishes the firewall by calling the same external firewall script that I'm using during the dhclient lease renewals. -- Kevin Street street@iname.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message