From owner-freebsd-net@FreeBSD.ORG Sun Mar 18 01:31:48 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0191416A400 for ; Sun, 18 Mar 2007 01:31:48 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id 8BBDC13C455 for ; Sun, 18 Mar 2007 01:31:47 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so1006036ugh for ; Sat, 17 Mar 2007 18:31:46 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=jHDTobsw7KCjnUj2tHIPFBcvECWUSGa7/5+fzSGx9AKmGQBSDpTAdzoKPkSFKGjSfaZeuvK/rsFgub4OksclHQ/1cUaPE8/uBbHqAW13U/p/nI/wSW8UHTMu4KExlqGtiFTLGl5S2zAndrywpyWnR/xivzwjLEVGgyOXtmyG5oQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=ZApIbLyshT+Gc1azcPHBptwytD1sPDzIEF6fcBrH7NCh7F72Ecw7n7XGijA7T1Mu87PHTP2ztxYDnk4fvGmlDy9wg7ZfWLPlBjbJ3TqrvW4R4nUt3RtmjDrbhUvLCHgbXic0JDhvF/ziAcOoPTxxC0odKiNrYTL3ZLQkSRk0aNo= Received: by 10.65.137.5 with SMTP id p5mr4723729qbn.1174180065798; Sat, 17 Mar 2007 18:07:45 -0700 (PDT) Received: from ?10.0.1.8? ( [65.102.150.189]) by mx.google.com with ESMTP id 23sm5308672nzn.2007.03.17.18.07.43; Sat, 17 Mar 2007 18:07:44 -0700 (PDT) Message-ID: <45FC90CE.3020605@gmail.com> Date: Sat, 17 Mar 2007 18:07:26 -0700 From: Kian Mohageri User-Agent: Thunderbird 1.5.0.9 (X11/20070103) MIME-Version: 1.0 To: Doug Barton References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> In-Reply-To: <45FC7EAE.803@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Mark Andrews , freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Mar 2007 01:31:48 -0000 Doug Barton wrote: > > If it's reasonable to conclude that we want all the firewalls to start > before netif, I see two ways to accomplish that. One would be to have > netif REQUIRE ipfilter, pf, and ipfw. In some ways I think this is > cleaner, but netif already has a pretty long REQUIRE line. The other > way would be to add a new FIREWALLS placeholder for the REQUIREs I'm > suggesting above, and then have netif REQUIRE that. > > If on the other hand, there is some reason NOT to start all the > firewalls before netif, then things get more complicated. :) > > I definitely think that firewalls should be started as early as possible, for obvious reasons. I can't speak for ipfw, but removing the REQUIRE: netif for pf might break some setups where the ruleset references a cloned interface that netif creates. Correct me if I'm wrong? Loading a minimal ruleset initially (as OpenBSD and NetBSD do) would solve that problem, at least for pf. The idea has been discussed a few times before but I didn't see it go anywhere. http://lists.freebsd.org/pipermail/freebsd-pf/2007-February/003041.html I'd love to see the rcorder for the firewalls get worked out! :) Kian