From owner-freebsd-net@FreeBSD.ORG Mon Mar 19 07:20:21 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D5B1416A406 for ; Mon, 19 Mar 2007 07:20:21 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.231]) by mx1.freebsd.org (Postfix) with ESMTP id 6CE6013C4CC for ; Mon, 19 Mar 2007 07:20:21 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so1120237wxc for ; Mon, 19 Mar 2007 00:20:20 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=qabMT7H9+zRsAaCoAJJ4IcBjVHX87lXaP09r0Z21A45+7fchFfn5eyBPPOf4Mew6oZpXVI4R96Kukjbd2wJoX2nXpJlESCmy6y4fhiEg/cyPuGdXEQBLQ0Hg88Be3iu/WddKVI3J5JvSXGYe1f+yXZBleCInvWLfMG8YKuNSKkc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=XP4vEPkxk/51fD4U1oc0NObok3qd4mwvi12sG8Kcb7LnHv1F00aj7dsnEW1k6ds2tw+akon9qk6PqCCkmfPlxU586kWBw+HLkIlApZmB8TvZUNW3X8USEJE8nHeoAvaGWjeHPBgEnMEBG40o/EeXoPhA4MiMTfMe4qZprN6ZSTE= Received: by 10.70.69.2 with SMTP id r2mr7948107wxa.1174288820856; Mon, 19 Mar 2007 00:20:20 -0700 (PDT) Received: from ?10.1.1.53? ( [71.227.220.29]) by mx.google.com with ESMTP id h17sm8380779wxd.2007.03.19.00.20.19; Mon, 19 Mar 2007 00:20:19 -0700 (PDT) Message-ID: <45FE39AE.4070407@gmail.com> Date: Mon, 19 Mar 2007 00:20:14 -0700 From: Kian Mohageri User-Agent: Thunderbird 1.5.0.9 (X11/20070103) MIME-Version: 1.0 To: Doug Barton References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com> <45FDD5C3.1070305@FreeBSD.org> <45FDF284.3040008@gmail.com> <45FE13E5.9060902@FreeBSD.org> In-Reply-To: <45FE13E5.9060902@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Mark Andrews , freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 07:20:21 -0000 Doug Barton wrote: > I believe (for whatever that's worth) that firewalls (and firewall > rules) _should_ be loaded prior to the interfaces coming up. If someone > wants to have dynamic rules, rules that rely on name resolution, or > rules for non-physical (e.g., cloned) interfaces, that's fine, but IMO > those are the exception, not the rule. Furthermore (and I'm betraying a > prejudice here) I think that firewall rules that rely on name resolution > are absolutely nuts, and I say that with many years of experience as a > professional DNS and system administrator. > Agreed. FQDNs in a ruleset is a pretty stupid idea. I guess I also agree with the reasoning that changing the common case as little as possible is good. > Therefore I believe strongly that the default behavior should be changed > to load all firewalls (and rules) before netif, and that those who want > to do firewall-related things that require netif or routing to be up > should be the ones who have to opt in to the new script. That said, I > think you and I have expressed our opinions pretty clearly on these > points, so I'd suggest that we let someone else have a turn. After re-reading your original idea, I think I understand a little better what you mean to do. For clarification, are you proposing that the [early] firewall scripts do nothing if firewall_late_enable=YES, and then have all firewalling taken care of later in the boot process (i.e. post-networking) by firewall_late? I think I might have misunderstood your original proposal:) -Kian