From owner-freebsd-rc@FreeBSD.ORG Mon Mar 19 17:03:50 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4FE0016A406 for ; Mon, 19 Mar 2007 17:03:50 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx24.fluidhosting.com [204.14.89.7]) by mx1.freebsd.org (Postfix) with SMTP id E4CBC13C4D0 for ; Mon, 19 Mar 2007 17:03:49 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 30780 invoked by uid 399); 19 Mar 2007 17:03:44 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 19 Mar 2007 17:03:44 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <45FEC26E.40504@FreeBSD.org> Date: Mon, 19 Mar 2007 10:03:42 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (X11/20070116) MIME-Version: 1.0 To: Kian Mohageri References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com> <45FDD5C3.1070305@FreeBSD.org> <45FDF284.3040008@gmail.com> <45FE13E5.9060902@FreeBSD.org> <45FE39AE.4070407@gmail.com> In-Reply-To: <45FE39AE.4070407@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Mark Andrews , freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 17:03:50 -0000 Kian Mohageri wrote: > After re-reading your original idea, I think I understand a little > better what you mean to do. For clarification, are you proposing that > the [early] firewall scripts do nothing if firewall_late_enable=YES, and > then have all firewalling taken care of later in the boot process (i.e. > post-networking) by firewall_late? > > I think I might have misunderstood your original proposal:) I think so too. :) To be clear, what I'm suggesting is that we move ipfw and pf to a spot in the rcorder that is ahead of netif, along with ipfilter which is already there. I am not suggesting that we change their functionality, just the ordering. As a completely separate thing (although they could be done at the same time) I am suggesting _adding_ a new script for "late" firewall rules (where "late" is defined as after netif) so that people who want to do firewall-related things that require netif (like cloned interfaces, FQDN rules, etc.) will have a standard way to accomplish that. Thanks for the opportunity to clarify, Doug -- This .signature sanitized for your protection