From owner-freebsd-rc@FreeBSD.ORG  Wed Dec 31 05:20:05 2008
Return-Path: <owner-freebsd-rc@FreeBSD.ORG>
Delivered-To: freebsd-rc@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6DEDF1065672
	for <freebsd-rc@hub.freebsd.org>; Wed, 31 Dec 2008 05:20:05 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 5D3F28FC14
	for <freebsd-rc@hub.freebsd.org>; Wed, 31 Dec 2008 05:20:05 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mBV5K5th015455
	for <freebsd-rc@freefall.freebsd.org>; Wed, 31 Dec 2008 05:20:05 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mBV5K5R3015454;
	Wed, 31 Dec 2008 05:20:05 GMT (envelope-from gnats)
Date: Wed, 31 Dec 2008 05:20:05 GMT
Message-Id: <200812310520.mBV5K5R3015454@freefall.freebsd.org>
To: freebsd-rc@FreeBSD.org
From: Bruce Cran <bruce@cran.org.uk>
Cc: 
Subject: Re: conf/96343: [patch] rc.d order change to start inet6 before pf
X-BeenThere: freebsd-rc@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Bruce Cran <bruce@cran.org.uk>
List-Id: "Discussion related to /etc/rc.d design and implementation."
	<freebsd-rc.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-rc>,
	<mailto:freebsd-rc-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-rc>
List-Post: <mailto:freebsd-rc@freebsd.org>
List-Help: <mailto:freebsd-rc-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-rc>,
	<mailto:freebsd-rc-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Dec 2008 05:20:05 -0000

The following reply was made to PR conf/96343; it has been noted by GNATS.

From: Bruce Cran <bruce@cran.org.uk>
To: bug-followup@FreeBSD.org, michael@gargantuan.com
Cc:  
Subject: Re: conf/96343: [patch] rc.d order change to start inet6 before pf
Date: Wed, 31 Dec 2008 05:19:04 +0000

 [http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/96343]
 
 Ideally the firewall should be started before any interfaces become
 active to avoid the possibility for an attacker to get in between the
 interface being active and the firewall being turned on; on 8-CURRENT
 the startup procedure has been changed so that this is the case.  It
 should be possible to make pf work by for example changing
 
 pass ... on re0 from any to re0 ...
 
 to
 
 pass ... on re0 from any to (re0) ...
 
 With the second line, pf now doesn't require re0 to have an IP address
 in order to load the firewall rules.
 
 -- 
 Bruce Cran