Date: Tue, 17 Jun 2003 08:03:24 -0300 From: Fred Souza <fred@storming.org> To: Mike Makonnen <mtm@identd.net> Cc: Mike Bohan <bogin@shortcircut.org> Subject: Re: -E flag in /etc/rc.d/ipfilter causes warnings Message-ID: <20030617110324.GA49296@torment.storming.org> In-Reply-To: <20030617023914.LUPT16647.out006.verizon.net@kokeb.ambesa.net> References: <1055813744.18453.21.camel@diesel> <20030617023914.LUPT16647.out006.verizon.net@kokeb.ambesa.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--jI8keyz6grp/JLjh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
> I believe it's harmless, and while not aesthetically pleasing, it's a nec=
essary
> work-around. The stop command to rc.d/ipfilter uses -D to disable ipfilte=
r, so
> it's necessary to use -E with the start command because there's no way to=
know
> how/when/why/in-what-environment it's being called. If I'm wrong or you h=
ave a
> better alternative to this please let me know.
Yes, you understood the manpage right and no, I don't think there's a
better way to detect that. This is something I've thought about and
couldn't come up with a better solution, either. But there's another
"issue" about /etc/rc.d/ipfilter that has a work-around: IPv6 support.
The current script just fires ipf and then ipf -6, whether you have
IPv6 support or not.
I don't know the purpose of this, since grepping /etc/rc* and
/etc/rc.d/* for it doesn't return anything, but there's this line in
/etc/defaults/rc.conf:
ipv6_enable=3D"NO" # Set to YES to set up for IPv6.
So, assuming there *is* a reason for that variable, I changed my
/etc/rc.d/ipfilter a bit so it respects that (although only in
ipfilter_start()):
case ${OSTYPE} in
FreeBSD)
${ipfilter_program:-/sbin/ipf} -Fa
if [ -r "${ipfilter_rules}" ]; then
${ipfilter_program:-/sbin/ipf} \
-f "${ipfilter_rules}" ${ipfilter_flags}
fi
case ${ipv6_enable} in
[Yy][Ee][Ss])
${ipfilter_program:-/sbin/ipf} -6 -Fa
if [ -r "${ipv6_ipfilter_rules}" ]; then
${ipfilter_program:-/sbin/ipf} -6 \
-f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
fi
;;
esac
;;
Should that be the default, or am I missing anything here?
Fred
--=20
"They're only trying to make me LOOK paranoid!"
--jI8keyz6grp/JLjh
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)
iD8DBQE+7vV7ZNmEsrl+ROERAq3cAKCDfyBL3Ji0WrOyQR/VW06+YGg1PgCfS15s
6sS3ZMietqMeCtK52r25Mms=
=f6i5
-----END PGP SIGNATURE-----
--jI8keyz6grp/JLjh--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030617110324.GA49296>