From owner-freebsd-rc@FreeBSD.ORG Wed Dec 31 05:20:05 2008 Return-Path: Delivered-To: freebsd-rc@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DEDF1065672 for ; Wed, 31 Dec 2008 05:20:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5D3F28FC14 for ; Wed, 31 Dec 2008 05:20:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mBV5K5th015455 for ; Wed, 31 Dec 2008 05:20:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mBV5K5R3015454; Wed, 31 Dec 2008 05:20:05 GMT (envelope-from gnats) Date: Wed, 31 Dec 2008 05:20:05 GMT Message-Id: <200812310520.mBV5K5R3015454@freefall.freebsd.org> To: freebsd-rc@FreeBSD.org From: Bruce Cran Cc: Subject: Re: conf/96343: [patch] rc.d order change to start inet6 before pf X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Bruce Cran List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2008 05:20:05 -0000 The following reply was made to PR conf/96343; it has been noted by GNATS. From: Bruce Cran To: bug-followup@FreeBSD.org, michael@gargantuan.com Cc: Subject: Re: conf/96343: [patch] rc.d order change to start inet6 before pf Date: Wed, 31 Dec 2008 05:19:04 +0000 [http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/96343] Ideally the firewall should be started before any interfaces become active to avoid the possibility for an attacker to get in between the interface being active and the firewall being turned on; on 8-CURRENT the startup procedure has been changed so that this is the case. It should be possible to make pf work by for example changing pass ... on re0 from any to re0 ... to pass ... on re0 from any to (re0) ... With the second line, pf now doesn't require re0 to have an IP address in order to load the firewall rules. -- Bruce Cran