From owner-freebsd-net@FreeBSD.ORG Mon Mar 19 00:13:59 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1741116A404 for ; Mon, 19 Mar 2007 00:13:59 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx24.fluidhosting.com [204.14.89.7]) by mx1.freebsd.org (Postfix) with SMTP id C09C413C44C for ; Mon, 19 Mar 2007 00:13:58 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 16264 invoked by uid 399); 19 Mar 2007 00:13:58 -0000 Received: from localhost (HELO ?192.168.0.4?) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 19 Mar 2007 00:13:58 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <45FDD5C3.1070305@FreeBSD.org> Date: Sun, 18 Mar 2007 17:13:55 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (Windows/20070116) MIME-Version: 1.0 To: Kian Mohageri References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com> In-Reply-To: <45FC90CE.3020605@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Mark Andrews , freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 00:13:59 -0000 Kian Mohageri wrote: > I can't speak for ipfw, but removing the > REQUIRE: netif for pf might break some setups where the ruleset > references a cloned interface that netif creates. Correct me if I'm wrong? > > Loading a minimal ruleset initially (as OpenBSD and NetBSD do) would > solve that problem, at least for pf. The idea has been discussed a few > times before but I didn't see it go anywhere. That's because no one who uses pf (and therefore cares sufficiently about the issue) has stepped up to do the work. Q.E.D. I don't know pf from a hole in the ground, and I'm not going to develop and commit a fundamentally different way of doing things for it that I can't test, and therefore will have no confidence that it's been done correctly. That said, if the issues of needing to resolve hostnames and set up rules for cloned interfaces are a universal problem (and it seems that they are) then perhaps rather than customizing a solution for pf it might be worthwhile to have a more generic "firewalls_late" script that performs the appropriate actions regardless of what firewalls are enabled. That way we could add just one rc.d script, and using the new functionality would be opt-in. Off the top of my head I envision something like: if [ checkyesno $firewall_enable -a -n "$firewall_rules_late" ]; then # do stuff specific to ipfw fi if [ checkyesno $ipfilter_enable -a -n "$ipfilter_rules_late" ]; then ... Comments? That's something that I would feel comfortable developing and committing, since it would be opt-in, and others more knowledgeable than I could jump in and run with it for a while before we considered MFC'ing it (if doing that would be appropriate at all, and I'm not sure that it would be). OTOH, perhaps if we just move everything (and therefore break things in the manner you described) it will motivate someone to do the work. :) Doug -- This .signature sanitized for your protection