Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 17 Jun 2003 08:03:24 -0300
From:      Fred Souza <fred@storming.org>
To:        Mike Makonnen <mtm@identd.net>
Cc:        Mike Bohan <bogin@shortcircut.org>
Subject:   Re: -E flag in /etc/rc.d/ipfilter causes warnings
Message-ID:  <20030617110324.GA49296@torment.storming.org>
In-Reply-To: <20030617023914.LUPT16647.out006.verizon.net@kokeb.ambesa.net>
References:  <1055813744.18453.21.camel@diesel> <20030617023914.LUPT16647.out006.verizon.net@kokeb.ambesa.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
> I believe it's harmless, and while not aesthetically pleasing, it's a necessary
> work-around. The stop command to rc.d/ipfilter uses -D to disable ipfilter, so
> it's necessary to use -E with the start command because there's no way to know
> how/when/why/in-what-environment it's being called. If I'm wrong or you have a
> better alternative to this please let me know.

  Yes, you understood the manpage right and no, I don't think there's a
  better way to detect that. This is something I've thought about and
  couldn't come up with a better solution, either. But there's another
  "issue" about /etc/rc.d/ipfilter that has a work-around: IPv6 support.
  The current script just fires ipf and then ipf -6, whether you have
  IPv6 support or not.

  I don't know the purpose of this, since grepping /etc/rc* and
  /etc/rc.d/* for it doesn't return anything, but there's this line in
  /etc/defaults/rc.conf:

  ipv6_enable="NO"                # Set to YES to set up for IPv6.

  So, assuming there *is* a reason for that variable, I changed my
  /etc/rc.d/ipfilter a bit so it respects that (although only in
  ipfilter_start()):

  case ${OSTYPE} in
  FreeBSD)
          ${ipfilter_program:-/sbin/ipf} -Fa
          if [ -r "${ipfilter_rules}" ]; then
                   ${ipfilter_program:-/sbin/ipf} \
                       -f "${ipfilter_rules}" ${ipfilter_flags}
          fi
          case ${ipv6_enable} in
          [Yy][Ee][Ss])
                  ${ipfilter_program:-/sbin/ipf} -6 -Fa
                  if [ -r "${ipv6_ipfilter_rules}" ]; then
                          ${ipfilter_program:-/sbin/ipf} -6 \
                              -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
                  fi
                  ;;
  esac
  ;;


  Should that be the default, or am I missing anything here?


  Fred


-- 
"They're only trying to make me LOOK paranoid!"

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQE+7vV7ZNmEsrl+ROERAq3cAKCDfyBL3Ji0WrOyQR/VW06+YGg1PgCfS15s
6sS3ZMietqMeCtK52r25Mms=
=f6i5
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030617110324.GA49296>