Date: Wed, 24 Oct 2001 11:28:19 -0700 From: "R.P. Aditya" <aditya@grot.org> To: freebsd-security@freebsd.org Cc: freebsd-mobile@freebsd.org Subject: ipfilter resync on pccard_ether insertions? Message-ID: <20011024112819.A27379@mighty.grot.org>
next in thread | raw e-mail | index | archive | help
Hi,
AFAIK, any time a new interface is added, ipfilter needs to be "resynced" with
an "ipf -y":
-y Manually resync the in-kernel interface list main-
tained by IP Filter with the current interface sta-
tus list.
to facilitate this for pccard interfaces, I made some local changes to
/etc/defaults/rc.conf and /etc/pccard_ether; do these changes look reasonable?
Can someone recommend a better approach? (My ipf.rules protect the entire box
regardless of interface so it seems to work fine) If not, any objections to
commiting this?:
diff -r1.1 /etc/defaults/rc.conf
62c62
< ipfilter_program="/sbin/ipf -Fa -f"
---
> ipfilter_program="/sbin/ipf"
67c67
< ipfilter_flags="-E" # should be *empty* when ipf is _not_ a module
---
> ipfilter_flags=" -Fa -f" # should be *empty* when ipf is _not_ a module
and:
diff -r1.1 /etc/pccard_ether
9a10,15
> if [ -x /usr/bin/logger ]; then
> LOGGER="/usr/bin/logger -s -p user.notice -t pccard_ether"
> else
> LOGGER=echo
> fi
>
29a36,45
>
> #resync ipf if we bring up a new interface
> if /sbin/ipfstat -i > /dev/null 2>&1; then
> case "${ipfilter_enable}" in
> [Yy][Ee][Ss])
> ${ipfilter_program:-/sbin/ipf} -y
> $LOGGER "Resyncing ipf to use new interface"
> ;;
> esac
> fi
31c47
< echo "${dhcp_program}: DHCP client software not available"
---
> $LOGGER "${dhcp_program}: DHCP client software not available"
Thanks,
Adi
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011024112819.A27379>