From owner-freebsd-current@FreeBSD.ORG Tue Jun 17 04:03:30 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D88D037B401 for ; Tue, 17 Jun 2003 04:03:30 -0700 (PDT) Received: from storming.org (MG034043.user.veloxzone.com.br [200.165.34.43]) by mx1.FreeBSD.org (Postfix) with SMTP id E564D43F93 for ; Tue, 17 Jun 2003 04:03:28 -0700 (PDT) (envelope-from fred@storming.org) Received: (qmail 57228 invoked by uid 1000); 17 Jun 2003 08:03:24 -0300 Date: Tue, 17 Jun 2003 08:03:24 -0300 From: Fred Souza To: Mike Makonnen Message-ID: <20030617110324.GA49296@torment.storming.org> References: <1055813744.18453.21.camel@diesel> <20030617023914.LUPT16647.out006.verizon.net@kokeb.ambesa.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jI8keyz6grp/JLjh" Content-Disposition: inline In-Reply-To: <20030617023914.LUPT16647.out006.verizon.net@kokeb.ambesa.net> X-Sender: fred@storming.org cc: freebsd-current@freebsd.org cc: Mike Bohan Subject: Re: -E flag in /etc/rc.d/ipfilter causes warnings X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fred@storming.org List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jun 2003 11:03:31 -0000 --jI8keyz6grp/JLjh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > I believe it's harmless, and while not aesthetically pleasing, it's a nec= essary > work-around. The stop command to rc.d/ipfilter uses -D to disable ipfilte= r, so > it's necessary to use -E with the start command because there's no way to= know > how/when/why/in-what-environment it's being called. If I'm wrong or you h= ave a > better alternative to this please let me know. Yes, you understood the manpage right and no, I don't think there's a better way to detect that. This is something I've thought about and couldn't come up with a better solution, either. But there's another "issue" about /etc/rc.d/ipfilter that has a work-around: IPv6 support. The current script just fires ipf and then ipf -6, whether you have IPv6 support or not. I don't know the purpose of this, since grepping /etc/rc* and /etc/rc.d/* for it doesn't return anything, but there's this line in /etc/defaults/rc.conf: ipv6_enable=3D"NO" # Set to YES to set up for IPv6. So, assuming there *is* a reason for that variable, I changed my /etc/rc.d/ipfilter a bit so it respects that (although only in ipfilter_start()): case ${OSTYPE} in FreeBSD) ${ipfilter_program:-/sbin/ipf} -Fa if [ -r "${ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} \ -f "${ipfilter_rules}" ${ipfilter_flags} fi case ${ipv6_enable} in [Yy][Ee][Ss]) ${ipfilter_program:-/sbin/ipf} -6 -Fa if [ -r "${ipv6_ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} -6 \ -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} fi ;; esac ;; Should that be the default, or am I missing anything here? Fred --=20 "They're only trying to make me LOOK paranoid!" --jI8keyz6grp/JLjh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+7vV7ZNmEsrl+ROERAq3cAKCDfyBL3Ji0WrOyQR/VW06+YGg1PgCfS15s 6sS3ZMietqMeCtK52r25Mms= =f6i5 -----END PGP SIGNATURE----- --jI8keyz6grp/JLjh--