From owner-freebsd-pf@FreeBSD.ORG Sun Oct 2 19:32:29 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F71416A41F for ; Sun, 2 Oct 2005 19:32:29 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2639143D58 for ; Sun, 2 Oct 2005 19:32:26 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.3/8.13.3) with ESMTP id j92JWPGj014059; Sun, 2 Oct 2005 23:32:25 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.3/8.13.3/Submit) id j92JWPbt014058; Sun, 2 Oct 2005 23:32:25 +0400 (MSD) (envelope-from yar) Date: Sun, 2 Oct 2005 23:32:24 +0400 From: Yar Tikhiy To: Max Laier Message-ID: <20051002193224.GB11825@comp.chem.msu.su> References: <20050922112017.GB16325@comp.chem.msu.su> <200509221413.03576.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200509221413.03576.max@love2party.net> User-Agent: Mutt/1.5.9i Cc: freebsd-pf@freebsd.org Subject: Re: PF in /etc/rc.d: some issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2005 19:32:29 -0000 On Thu, Sep 22, 2005 at 02:12:52PM +0200, Max Laier wrote: > On Thursday 22 September 2005 13:20, Yar Tikhiy wrote: > > > First, in the presence of vlan's or other dynamic interfaces it can > > be hard to ensure that pfsync0 will appear after its syncdev on the > > final list of interfaces built inside /etc/network.subr from several > > rc.conf variables and other sources. Consequently, pfsync0 won't > > get up because it is configured before its syncdev is up and running. > > IMHO, this problem can be addressed by creating a separate rcNG script > > for pfsync, which I already did in my systems using PF (see below.) > > Sounds reasonable, but put at least an additional $pfsync_ifconfig_flags at > the end of the ifconfig so that people can specify maxupd. pfsync.4 needs to > be updated for this as well. Just added src/etc/rc.d/pfsync, wired it to the system and updated the relevant manpages. The rc.conf variables are pfsync_enable, pfsync_syncdev and pfsync_ifconfig, the latter being optional. > > Second, /etc/rc.d/pf script starts before DAEMON and LOGIN, which > > is too late IMHO. Can we make it start before "routing"? In an > > ideal world, a firewall should start before "netif", but I'm unsure > > if PF can start when not all interfaces mentioned in pf.conf are > > present in the system yet. > > The only remaining problem (that I know of) is "set loginterface" on a > non-existing interface. Everything else should be taken care of by now. > This late startup was in fact a bandaid to get things working back then, but > the problems have been shaken out and now that "set loginterface" is more or > less obsolete by $pfctl -vsI -i anyway, we could move it back to > where it belongs. I'd like to keep that change in HEAD for the time being, > however. It appears we cannot start pf before netif since we have rc.d/pfsync now, which should start before pf, but after netif. So I made pf start before routing for now. No network services should be running at that time anyway. This change won't affect "set loginterface", so it should be safe to MFC it to RELENG_6, shouldn't it? -- Yar