From owner-freebsd-pf@FreeBSD.ORG Sun Jul 16 20:30:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 552AD16A4DA; Sun, 16 Jul 2006 20:30:54 +0000 (UTC) (envelope-from ari@suutari.iki.fi) Received: from pne-smtpout3-sn1.fre.skanova.net (pne-smtpout3-sn1.fre.skanova.net [81.228.11.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DAC043D45; Sun, 16 Jul 2006 20:30:53 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from mato.suutari.iki.fi (80.222.160.17) by pne-smtpout3-sn1.fre.skanova.net (7.2.075) id 44A1309900097D80; Sun, 16 Jul 2006 22:30:52 +0200 Received: from [127.0.0.1] (orava.suutari.iki.fi [192.168.60.101]) by mato.suutari.iki.fi (8.13.6/8.13.6) with ESMTP id k6GKUpD0002393; Sun, 16 Jul 2006 23:30:51 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <44BAA171.8070302@suutari.iki.fi> Date: Sun, 16 Jul 2006 23:28:33 +0300 From: Ari Suutari User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Andrew Thompson References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <44BA8A95.10300@suutari.iki.fi> <20060716191732.GD3240@insomnia.benzedrine.cx> <44BA9ECA.6090607@suutari.iki.fi> <20060716202253.GF29207@heff.fud.org.nz> In-Reply-To: <20060716202253.GF29207@heff.fud.org.nz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0628-5, 14.07.2006), Outbound message X-Antivirus-Status: Clean Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 20:30:54 -0000 Hi, Andrew Thompson wrote: >> >> On FreeBSD 6.1, run rcorder /etc/rc.d/*. You'll notice that >> pf is run after netif so if one is using only pf as firewall, >> there is a window between run of "netif" and "pf" where network >> interfaces are up but there is no firewall loaded. Adding >> pf_boot, which runs before "netif" would fix this, woudn't it ? > > But.. pf runs before any userland daemons are loaded so how does it > matter if there is a short window between netif and pf if nothing is > listening? I wasn't thinking about firewall itself, but the network it protects. But now I notice that routing is run *after* pf so things should be ok ? Sorry to be such a pain but I have tried asking about this many times but got no good answers (and I got even more worried when I noticed that NetBSD had special boot-time ruleset). I guess this is case closed then! Ari S.