From owner-freebsd-net@FreeBSD.ORG Mon Mar 19 20:12:48 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3122516A403; Mon, 19 Mar 2007 20:12:48 +0000 (UTC) (envelope-from dgilbert@daveg.ca) Received: from ox.eicat.ca (ox.eicat.ca [66.96.30.35]) by mx1.freebsd.org (Postfix) with ESMTP id 015BB13C457; Mon, 19 Mar 2007 20:12:47 +0000 (UTC) (envelope-from dgilbert@daveg.ca) Received: by ox.eicat.ca (Postfix, from userid 66) id D2981DA82; Mon, 19 Mar 2007 16:12:46 -0400 (EDT) Received: by canoe.dclg.ca (Postfix, from userid 101) id 635A161C8A; Mon, 19 Mar 2007 15:12:52 -0500 (EST) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17918.61124.353668.804988@canoe.dclg.ca> Date: Mon, 19 Mar 2007 15:12:52 -0500 To: Doug Barton In-Reply-To: <45FE13E5.9060902@FreeBSD.org> References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com> <45FDD5C3.1070305@FreeBSD.org> <45FDF284.3040008@gmail.com> <45FE13E5.9060902@FreeBSD.org> X-Mailer: VM 7.17 under 21.4 (patch 20) "Double Solitaire" XEmacs Lucid Cc: freebsd-net@freebsd.org, Mark Andrews , Kian Mohageri , freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 20:12:48 -0000 >>>>> "Doug" == Doug Barton writes: Doug> Kian Mohageri wrote: >> I agree VERY MUCH with this sort of approach. It would be a much >> cleaner solution than completely separate handling of all of these >> different problems. I'm trying to get an idea of what all of the >> major problems with the current order are, and these are the ones >> I'm aware of: >> >> - ipfw blocks by default (names unresolvable, rtsol breaks) - >> ipf/pf pass by default (services are unprotected) >> >> I think a firewall_boot script (similar to what you've proposed) >> could potentially solve all of these problems. Doug> exception, not the rule. Furthermore (and I'm betraying a Doug> prejudice here) I think that firewall rules that rely on name Doug> resolution are absolutely nuts, and I say that with many years Doug> of experience as a professional DNS and system administrator. I think you're misreading the above. The poster is saying that because ipfw's default behaviour is block, loading it at the wrong time can break other startup items because they require name resolution or the sending of packets (rtsol). Dave. -- ============================================================================ |David Gilbert, Independent Contractor. | Two things can be | |Mail: dave@daveg.ca | equal if and only if they | |http://daveg.ca | are precisely opposite. | =========================================================GLO================