Date: Mon, 1 Jun 2009 06:29:53 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Doug Barton <dougb@FreeBSD.org> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r193198 - head/etc/rc.d Message-ID: <20090601062701.C12292@maildrop.int.zabbadoz.net> In-Reply-To: <200906010535.n515Z4qK065272@svn.freebsd.org> References: <200906010535.n515Z4qK065272@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 1 Jun 2009, Doug Barton wrote: > Author: dougb > Date: Mon Jun 1 05:35:03 2009 > New Revision: 193198 > URL: http://svn.freebsd.org/changeset/base/193198 > > Log: > Make the pf and ipfw firewalls start before netif, just like ipfilter > already does. This eliminates a logical inconsistency, and a small > window where the system is open after the network comes up. Unfortunetaly this is contrary to a lot of PRs and requests on mailing lists out there that actually want the netif/network_ipv6 to be run _before_ things come up. Espescially pf really needs this to avoid rules that needs to do per paket lookups of the interface address. Further ipfw has a default option being setaable at compile time and as TUNABLE to handle this window. -- Bjoern A. Zeeb The greatest risk is not taking one.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090601062701.C12292>