From owner-freebsd-bugs Fri Mar 28 22:30:03 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA12611 for bugs-outgoing; Fri, 28 Mar 1997 22:30:03 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA12605; Fri, 28 Mar 1997 22:30:01 -0800 (PST) Resent-Date: Fri, 28 Mar 1997 22:30:01 -0800 (PST) Resent-Message-Id: <199703290630.WAA12605@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, Received:"from agora.rdrop.com (root@agora.rdrop.com [199.2.210.241]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id WAA12511 for" ; Fri, 28 Mar 1997 22:27:34.-0800 (PST) Received: from mbennett1.sj.scruznet.com by agora.rdrop.com with smtp (Smail3.1.29.1 #17) id m0wArbk-0008rxC; Fri, 28 Mar 97 22:27 PST Received: (from root@localhost) by mbennett1.sj.scruznet.com (8.8.4/8.8.4) id WAA00320; Fri, 28 Mar 1997 22:23:48 -0800 (PST) Message-Id: <199703290623.WAA00320@mbennett1.sj.scruznet.com> Date: Fri, 28 Mar 1997 22:23:48 -0800 (PST) From: nsayer@quack.kfu.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: misc/3136: rc.firewall should be run after interfaces are up Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 3136 >Category: misc >Synopsis: rc.firewall should be run after interfaces are up >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Mar 28 22:30:00 PST 1997 >Last-Modified: >Originator: Nick Sayer >Organization: just me >Release: FreeBSD 2.2-BETA_A i386 >Environment: This machine is a router being used with 'natd'. The natd command line specifies that the address for the portmapping should be obtained from tun0. >Description: With the default ordering of netstart, the firewall is created before the interfaces are up. This is backwards, since tun0 will not have a (useful) address before it is initialized. Nor will anything else, for that matter. Doing the firewall stuff after does not open up any security holes since the default policy is to not pass any traffic. >How-To-Repeat: >Fix: *** /etc/netstart- Mon Dec 23 19:33:04 1996 --- /etc/netstart Fri Mar 28 22:11:51 1997 *************** *** 23,33 **** domainname $defaultdomainname fi - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - sh /etc/rc.firewall - fi - # # XXX This is known to cause an error if /usr is nfs mounted since it # will not be available until after the network is up :-(. Once the --- 23,28 ---- *************** *** 67,72 **** --- 62,72 ---- fi ifconfig ${ifn} done + + # If IP filtering + if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then + sh /etc/rc.firewall + fi if [ -n "$defaultrouter" -a "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" >Audit-Trail: >Unformatted: