Date: Wed, 7 Aug 2002 00:30:43 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Julian Elischer <julian@elischer.org> Cc: net@FreeBSD.ORG Subject: Re: ipfw and ipf start times.. Message-ID: <20020807073043.GA69787@blossom.cjclark.org> In-Reply-To: <Pine.BSF.4.21.0208051533250.65715-100000@InterJet.elischer.org> References: <Pine.BSF.4.21.0208051533250.65715-100000@InterJet.elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 05, 2002 at 03:36:34PM -0700, Julian Elischer wrote:
>
>
> I notice that ipf is started very early in rc.network
> and ipfw is started somewhat later.
>
> Specifically ipfw is done after the interfaces are ifconfig'd up
> and ipf is done before.
>
> Does anyone know if there is a specific reason for this?
> (in 4.x)
I'm not sure if there is any reason, but historically, ipfw(8) has
defaulted to being closed when not configured and ipf(8) to being
open. This is seen in the kernel configuration options,
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
options IPFILTER_DEFAULT_BLOCK #block all packets by default
The defaults are the opposite. Thus, from a security standpoint you
want to configure ipf(8) before you setup the interfaces, while
ipfw(8) can wait.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020807073043.GA69787>