Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 17 Mar 2007 16:50:06 -0700
From:      Doug Barton <dougb@FreeBSD.org>
To:        Mark Andrews <Mark_Andrews@isc.org>
Cc:        freebsd-net@freebsd.org, freebsd-rc@freebsd.org
Subject:   Re: rc.order wrong (ipfw)
Message-ID:  <45FC7EAE.803@FreeBSD.org>
In-Reply-To: <200703171210.l2HCAD63046801@drugs.dv.isc.org>
References:  <200703171210.l2HCAD63046801@drugs.dv.isc.org>

next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------090805060704060603060007
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

[ Re-locating this thread from -stable. ]

Mark Andrews wrote:
>> On Saturday 17 March 2007 03:58, Mark Andrews wrote:
>>
>>>>> nothing goes to this machine because by default everything is blocked
>>>>> until
>>>>>
>>>>> you permit it
>>>> You're absolutely correct, however your original post seems to have
>>>> taken many of us by surprise, causing some of us (at least me!) to
>>>> assume that you've changed the default method to allow.  I'm obviously
>>>> misunderstanding, so I apologise for that, but I hope you can see the
>>>> reasoning behind my comments with what I knew at the time.  :)
>>> 	ipfw needs to be before networking or router discovery
>>> 	fails for IPv6.
>>>
>>> 	http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/108589
>>>
>>
>> as default any network connection will fail so long as you do not permit it
>>
>> If rtsol fails or is called to early it is an rtsol problem and not an ipfw 
>> problem I guess
>>
>> named and ipfw before netif?
> 
> 	ip6fw is before networking. ipfw is supposed to be taking
> 	over from ip6fw.  ipfw and ip6wf should be started at a
> 	similar time.
> 
> 	rtsol is approximately the equivalent to DHCP.  The machine is
> 	requesting a address from the network.  It doesn't matter if
> 	it is a router or a DHCP server that is suppling the address.
> 
> 	DHCP only works because it bypasses the firefall.

Mark,

Currently the order (with some non-networking items removed) is:

/etc/rc.d/ipfilter
/etc/rc.d/ipnat
/etc/rc.d/ipfs
/etc/rc.d/sppp
/etc/rc.d/auto_linklocal
/etc/rc.d/pccard
/etc/rc.d/netif
/etc/rc.d/ip6addrctl
/etc/rc.d/atm2
/etc/rc.d/pfsync
/etc/rc.d/pflog
/etc/rc.d/pf
/etc/rc.d/isdnd
/etc/rc.d/ppp
/etc/rc.d/routing
/etc/rc.d/ip6fw
/etc/rc.d/network_ipv6
/etc/rc.d/ipsec
/etc/rc.d/ipfw
/etc/rc.d/nsswitch
/etc/rc.d/mroute6d
/etc/rc.d/route6d
/etc/rc.d/mrouted
/etc/rc.d/routed
/etc/rc.d/NETWORKING

ipfilter starts very early in the "late" section of rcorder, it 
requires mountcritlocal (the default early_late_divider) and has a 
BEFORE: netif.

Currently ip6fw actually starts after routing (and therefore after 
netif). Before we move it I think someone who knows more about how 
rtsol works than I do should comment. AFAICT, network_ipv6 is going to 
need routing up. If ip6fw's functionality is going to be subsumed into 
ipfw, then changing ipfw to run before netif now, and nuking ip6fw 
later is probably sufficient.

If it's reasonable to conclude that we want all the firewalls to start 
before netif, I see two ways to accomplish that. One would be to have 
netif REQUIRE ipfilter, pf, and ipfw. In some ways I think this is 
cleaner, but netif already has a pretty long REQUIRE line. The other 
way would be to add a new FIREWALLS placeholder for the REQUIREs I'm 
suggesting above, and then have netif REQUIRE that.

If on the other hand, there is some reason NOT to start all the 
firewalls before netif, then things get more complicated. :)

The attached patch changes the rcorder to the following:

/etc/rc.d/sppp
/etc/rc.d/ipfw
/etc/rc.d/pfsync
/etc/rc.d/pflog
/etc/rc.d/pf
/etc/rc.d/ipfilter
/etc/rc.d/ipnat
/etc/rc.d/ipfs
/etc/rc.d/auto_linklocal
/etc/rc.d/serial
/etc/rc.d/netif
/etc/rc.d/ip6addrctl
/etc/rc.d/atm2
/etc/rc.d/isdnd
/etc/rc.d/ppp
/etc/rc.d/routing
/etc/rc.d/ip6fw
/etc/rc.d/network_ipv6
/etc/rc.d/ipsec
/etc/rc.d/nsswitch
/etc/rc.d/mroute6d
/etc/rc.d/route6d
/etc/rc.d/mrouted
/etc/rc.d/routed
/etc/rc.d/NETWORKING

Thoughts?

Doug

-- 

     This .signature sanitized for your protection

--------------090805060704060603060007
Content-Type: text/plain;
 name="rc-firewalls.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="rc-firewalls.diff"

Index: ip6fw
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/ip6fw,v
retrieving revision 1.8
diff -u -r1.8 ip6fw
--- ip6fw	31 Dec 2006 10:37:18 -0000	1.8
+++ ip6fw	17 Mar 2007 21:28:18 -0000
@@ -5,7 +5,6 @@
 
 # PROVIDE: ip6fw
 # REQUIRE: routing
-# BEFORE: network_ipv6
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: ipfilter
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/ipfilter,v
retrieving revision 1.26
diff -u -r1.26 ipfilter
--- ipfilter	31 Dec 2006 10:37:18 -0000	1.26
+++ ipfilter	17 Mar 2007 21:15:21 -0000
@@ -6,7 +6,6 @@
 
 # PROVIDE: ipfilter
 # REQUIRE: root mountcritlocal
-# BEFORE:  netif
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: ipfs
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/ipfs,v
retrieving revision 1.6
diff -u -r1.6 ipfs
--- ipfs	7 Oct 2004 13:55:26 -0000	1.6
+++ ipfs	17 Mar 2007 21:15:43 -0000
@@ -6,7 +6,6 @@
 
 # PROVIDE: ipfs
 # REQUIRE: ipnat
-# BEFORE:  netif
 # KEYWORD: nojail shutdown
 
 . /etc/rc.subr
Index: ipfw
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/ipfw,v
retrieving revision 1.14
diff -u -r1.14 ipfw
--- ipfw	31 Dec 2006 10:37:18 -0000	1.14
+++ ipfw	17 Mar 2007 21:31:21 -0000
@@ -4,8 +4,7 @@
 #
 
 # PROVIDE: ipfw
-# REQUIRE: ppp
-# BEFORE: NETWORKING
+# REQUIRE: root mountcritlocal
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: ipnat
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/ipnat,v
retrieving revision 1.15
diff -u -r1.15 ipnat
--- ipnat	31 Dec 2006 10:37:18 -0000	1.15
+++ ipnat	17 Mar 2007 21:15:29 -0000
@@ -6,7 +6,6 @@
 
 # PROVIDE: ipnat
 # REQUIRE: ipfilter
-# BEFORE:  DAEMON netif
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: netif
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/netif,v
retrieving revision 1.22
diff -u -r1.22 netif
--- netif	9 Feb 2007 12:11:26 -0000	1.22
+++ netif	17 Mar 2007 23:04:21 -0000
@@ -26,7 +26,8 @@
 #
 
 # PROVIDE: netif
-# REQUIRE: atm1 ipfilter mountcritlocal serial sppp sysctl
+# REQUIRE: atm1 mountcritlocal serial sppp sysctl
+# REQUIRE: ipfilter ipfs pf ipfw
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: network_ipv6
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/network_ipv6,v
retrieving revision 1.37
diff -u -r1.37 network_ipv6
--- network_ipv6	7 Oct 2004 13:55:26 -0000	1.37
+++ network_ipv6	17 Mar 2007 21:20:18 -0000
@@ -29,7 +29,7 @@
 #
 
 # PROVIDE: network_ipv6
-# REQUIRE: routing
+# REQUIRE: routing ip6fw
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: pf
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/pf,v
retrieving revision 1.14
diff -u -r1.14 pf
--- pf	31 Dec 2006 10:37:18 -0000	1.14
+++ pf	17 Mar 2007 21:18:13 -0000
@@ -4,8 +4,7 @@
 #
 
 # PROVIDE: pf
-# REQUIRE: root mountcritlocal netif pflog pfsync
-# BEFORE:  routing
+# REQUIRE: root mountcritlocal pflog pfsync
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: pflog
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/pflog,v
retrieving revision 1.10
diff -u -r1.10 pflog
--- pflog	31 Dec 2006 10:37:18 -0000	1.10
+++ pflog	17 Mar 2007 21:18:21 -0000
@@ -4,7 +4,7 @@
 #
 
 # PROVIDE: pflog
-# REQUIRE: root mountcritlocal netif cleanvar
+# REQUIRE: root mountcritlocal cleanvar
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: pfsync
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/pfsync,v
retrieving revision 1.2
diff -u -r1.2 pfsync
--- pfsync	31 Dec 2006 10:37:18 -0000	1.2
+++ pfsync	17 Mar 2007 21:18:33 -0000
@@ -4,7 +4,7 @@
 #
 
 # PROVIDE: pfsync
-# REQUIRE: root mountcritlocal netif
+# REQUIRE: root mountcritlocal
 # KEYWORD: nojail
 
 . /etc/rc.subr

--------------090805060704060603060007--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45FC7EAE.803>