Date: Fri, 28 Mar 1997 22:23:48 -0800 (PST) From: nsayer@quack.kfu.com To: FreeBSD-gnats-submit@freebsd.org Subject: misc/3136: rc.firewall should be run after interfaces are up Message-ID: <199703290623.WAA00320@mbennett1.sj.scruznet.com> Resent-Message-ID: <199703290630.WAA12605@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 3136
>Category: misc
>Synopsis: rc.firewall should be run after interfaces are up
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Fri Mar 28 22:30:00 PST 1997
>Last-Modified:
>Originator: Nick Sayer
>Organization:
just me
>Release: FreeBSD 2.2-BETA_A i386
>Environment:
This machine is a router being used with 'natd'.
The natd command line specifies that the address for the portmapping
should be obtained from tun0.
>Description:
With the default ordering of netstart, the firewall is created
before the interfaces are up. This is backwards, since
tun0 will not have a (useful) address before it is initialized.
Nor will anything else, for that matter.
Doing the firewall stuff after does not open up any security holes
since the default policy is to not pass any traffic.
>How-To-Repeat:
>Fix:
*** /etc/netstart- Mon Dec 23 19:33:04 1996
--- /etc/netstart Fri Mar 28 22:11:51 1997
***************
*** 23,33 ****
domainname $defaultdomainname
fi
- # If IP filtering
- if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then
- sh /etc/rc.firewall
- fi
-
#
# XXX This is known to cause an error if /usr is nfs mounted since it
# will not be available until after the network is up :-(. Once the
--- 23,28 ----
***************
*** 67,72 ****
--- 62,72 ----
fi
ifconfig ${ifn}
done
+
+ # If IP filtering
+ if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then
+ sh /etc/rc.firewall
+ fi
if [ -n "$defaultrouter" -a "x$defaultrouter" != "xNO" ] ; then
static_routes="default ${static_routes}"
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703290623.WAA00320>