From owner-svn-src-head@FreeBSD.ORG Mon Jun 1 06:32:41 2009 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C215106566C for ; Mon, 1 Jun 2009 06:32:41 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id C52EB8FC13 for ; Mon, 1 Jun 2009 06:32:40 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-064-187-205.pools.arcor-ip.net [88.64.187.205]) by mrelayeu.kundenserver.de (node=mreu2) with ESMTP (Nemesis) id 0MKv5w-1MB0sO3r2J-0001Qu; Mon, 01 Jun 2009 08:20:05 +0200 Received: (qmail 98309 invoked from network); 1 Jun 2009 06:20:04 -0000 Received: from kvm.laiers.local (HELO kvm.localnet) (192.168.4.187) by mx.laiers.local with SMTP; 1 Jun 2009 06:20:04 -0000 From: Max Laier Organization: FreeBSD To: Doug Barton Date: Mon, 1 Jun 2009 08:20:02 +0200 User-Agent: KMail/1.11.3 (Linux/2.6.30-rc5-ARCH; KDE/4.2.3; x86_64; ; ) References: <200906010535.n515Z4qK065272@svn.freebsd.org> In-Reply-To: <200906010535.n515Z4qK065272@svn.freebsd.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200906010820.03864.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+NPgO0xBiPQbJqAviP7jxJA12F6IMMgiU/7P3 LQRMe971LAvmEIf58gifQ1VSQFUw0rDObeVimzGDRf1T/rhwZE k1MVv+mI+eErECVWmk1xg== Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r193198 - head/etc/rc.d X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2009 06:32:41 -0000 On Monday 01 June 2009 07:35:03 Doug Barton wrote: > Author: dougb > Date: Mon Jun 1 05:35:03 2009 > New Revision: 193198 > URL: http://svn.freebsd.org/changeset/base/193198 > > Log: > Make the pf and ipfw firewalls start before netif, just like ipfilter > already does. This eliminates a logical inconsistency, and a small > window where the system is open after the network comes up. Can you please add a note about this in UPDATING? It might be a slight POLA violation for people who rely on the interfaces being configured to setup the firewall. For instance when one doesn't use dynamic address rules in pf i.e. "from/to ifX" instead of "from/to (ifX)". > Modified: > head/etc/rc.d/ip6fw > head/etc/rc.d/ipfilter > head/etc/rc.d/ipfs > head/etc/rc.d/ipfw > head/etc/rc.d/ipnat > head/etc/rc.d/netif > head/etc/rc.d/network_ipv6 > head/etc/rc.d/pf > head/etc/rc.d/pflog > head/etc/rc.d/pfsync -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News