From owner-freebsd-security Fri Dec 10 18:13:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 0E46315162 for ; Fri, 10 Dec 1999 18:13:19 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id TAA17658; Fri, 10 Dec 1999 19:13:08 -0700 (MST) Message-Id: <4.2.0.58.19991210190512.03d62d90@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 10 Dec 1999 19:12:52 -0700 To: Kevin Street , Brendan Conoboy From: Brett Glass Subject: Re: rc.firewall, ipf integration Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <14417.33934.245121.600826@mired.eh.local> References: <199912102133.OAA17684@inago.swcp.com> <199912102133.OAA17684@inago.swcp.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This might be a good time to take DHCP off of the Berkeley Packet Filter interface and make it a bona fide protocol stack, albeit a short one (it'd be null above the MAC layer). This would eliminate the need for a special case mechanism to interact with it.... --Brett Glass At 03:54 PM 12/10/1999 , Kevin Street wrote: >Brendan Conoboy writes: > > >So I'm sending this mail out to ask how people would like it improved. > >I'm willing to do pretty much all of the work, particularly to get ipf > >integrated. What do people think needs to happen? > >Brendan, for client machines, better integration with DHCP would be a >worthwhile goal. The firewall setup needs to be called from the >dhclient scripts since dhclient knows what the ip address is and gets >notified of any changes (lease expiry, ip addr changes). Having an >rc.firewall that can be called whenever the state changes would be >useful. Having the boot up of dhcp and rc.firewall happen in the >right order and leave the firewall configured correctly is mandatory. > >Right now, my dhcp startup sets up the firewall and then rc.network >promptly flushes it. I've got mine set up so that rc.firewall >discovers what ip address dhcp managed to get and re-establishes the >firewall by calling the same external firewall script that I'm using >during the dhclient lease renewals. >-- >Kevin Street >street@iname.com > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message