From owner-freebsd-net  Wed Aug  7  0:30:52 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B3B6E37B400
	for <net@FreeBSD.ORG>; Wed,  7 Aug 2002 00:30:50 -0700 (PDT)
Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1D82C43E42
	for <net@FreeBSD.ORG>; Wed,  7 Aug 2002 00:30:50 -0700 (PDT)
	(envelope-from crist.clark@attbi.com)
Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020807073049.PNIF221.sccrmhc02.attbi.com@blossom.cjclark.org>;
          Wed, 7 Aug 2002 07:30:49 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
	by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g777UmJK070520;
	Wed, 7 Aug 2002 00:30:48 -0700 (PDT)
	(envelope-from crist.clark@attbi.com)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g777UisF070519;
	Wed, 7 Aug 2002 00:30:44 -0700 (PDT)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f
Date: Wed, 7 Aug 2002 00:30:43 -0700
From: "Crist J. Clark" <crist.clark@attbi.com>
To: Julian Elischer <julian@elischer.org>
Cc: net@FreeBSD.ORG
Subject: Re: ipfw and ipf start times..
Message-ID: <20020807073043.GA69787@blossom.cjclark.org>
Reply-To: "Crist J. Clark" <cjc@FreeBSD.ORG>
References: <Pine.BSF.4.21.0208051533250.65715-100000@InterJet.elischer.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.21.0208051533250.65715-100000@InterJet.elischer.org>
User-Agent: Mutt/1.4i
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Mon, Aug 05, 2002 at 03:36:34PM -0700, Julian Elischer wrote:
> 
> 
> I notice that ipf is started very early in rc.network
> and ipfw is started somewhat later.
> 
> Specifically ipfw is done after the interfaces are ifconfig'd up
> and ipf is done before.
> 
> Does anyone know if there is a specific reason for this?
> (in 4.x)

I'm not sure if there is any reason, but historically, ipfw(8) has
defaulted to being closed when not configured and ipf(8) to being
open. This is seen in the kernel configuration options,

  options 	IPFIREWALL_DEFAULT_TO_ACCEPT	#allow everything by default

  options 	IPFILTER_DEFAULT_BLOCK	#block all packets by default

The defaults are the opposite. Thus, from a security standpoint you
want to configure ipf(8) before you setup the interfaces, while
ipfw(8) can wait.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message