Re: rc.order wrong (ipfw)

Doug Barton Sat, 17 Mar 2007 15:50:30 -0800

[ Re-locating this thread from -stable. ]

Mark Andrews wrote:

On Saturday 17 March 2007 03:58, Mark Andrews wrote:

nothing goes to this machine because by default everything is blocked
until

you permit it

You're absolutely correct, however your original post seems to have
taken many of us by surprise, causing some of us (at least me!) to
assume that you've changed the default method to allow.  I'm obviously
misunderstanding, so I apologise for that, but I hope you can see the
reasoning behind my comments with what I knew at the time.  :)

        ipfw needs to be before networking or router discovery
        fails for IPv6.

        http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/108589


as default any network connection will fail so long as you do not permit it

If rtsol fails or is called to early it is an rtsol problem and not an ipfwproblem I guess


named and ipfw before netif?


        ip6fw is before networking. ipfw is supposed to be taking
        over from ip6fw.  ipfw and ip6wf should be started at a
        similar time.

        rtsol is approximately the equivalent to DHCP.  The machine is
        requesting a address from the network.  It doesn't matter if
        it is a router or a DHCP server that is suppling the address.

        DHCP only works because it bypasses the firefall.


Mark,

Currently the order (with some non-networking items removed) is:

/etc/rc.d/ipfilter
/etc/rc.d/ipnat
/etc/rc.d/ipfs
/etc/rc.d/sppp
/etc/rc.d/auto_linklocal
/etc/rc.d/pccard
/etc/rc.d/netif
/etc/rc.d/ip6addrctl
/etc/rc.d/atm2
/etc/rc.d/pfsync
/etc/rc.d/pflog
/etc/rc.d/pf
/etc/rc.d/isdnd
/etc/rc.d/ppp
/etc/rc.d/routing
/etc/rc.d/ip6fw
/etc/rc.d/network_ipv6
/etc/rc.d/ipsec
/etc/rc.d/ipfw
/etc/rc.d/nsswitch
/etc/rc.d/mroute6d
/etc/rc.d/route6d
/etc/rc.d/mrouted
/etc/rc.d/routed
/etc/rc.d/NETWORKING

ipfilter starts very early in the "late" section of rcorder, itrequires mountcritlocal (the default early_late_divider) and has aBEFORE: netif.

Currently ip6fw actually starts after routing (and therefore afternetif). Before we move it I think someone who knows more about howrtsol works than I do should comment. AFAICT, network_ipv6 is going toneed routing up. If ip6fw's functionality is going to be subsumed intoipfw, then changing ipfw to run before netif now, and nuking ip6fwlater is probably sufficient.

If it's reasonable to conclude that we want all the firewalls to startbefore netif, I see two ways to accomplish that. One would be to havenetif REQUIRE ipfilter, pf, and ipfw. In some ways I think this iscleaner, but netif already has a pretty long REQUIRE line. The otherway would be to add a new FIREWALLS placeholder for the REQUIREs I'msuggesting above, and then have netif REQUIRE that.

If on the other hand, there is some reason NOT to start all thefirewalls before netif, then things get more complicated. :)


The attached patch changes the rcorder to the following:

/etc/rc.d/sppp
/etc/rc.d/ipfw
/etc/rc.d/pfsync
/etc/rc.d/pflog
/etc/rc.d/pf
/etc/rc.d/ipfilter
/etc/rc.d/ipnat
/etc/rc.d/ipfs
/etc/rc.d/auto_linklocal
/etc/rc.d/serial
/etc/rc.d/netif
/etc/rc.d/ip6addrctl
/etc/rc.d/atm2
/etc/rc.d/isdnd
/etc/rc.d/ppp
/etc/rc.d/routing
/etc/rc.d/ip6fw
/etc/rc.d/network_ipv6
/etc/rc.d/ipsec
/etc/rc.d/nsswitch
/etc/rc.d/mroute6d
/etc/rc.d/route6d
/etc/rc.d/mrouted
/etc/rc.d/routed
/etc/rc.d/NETWORKING

Thoughts?

Doug

--

    This .signature sanitized for your protection

Index: ip6fw
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/ip6fw,v
retrieving revision 1.8
diff -u -r1.8 ip6fw
--- ip6fw       31 Dec 2006 10:37:18 -0000      1.8
+++ ip6fw       17 Mar 2007 21:28:18 -0000
@@ -5,7 +5,6 @@
 
 # PROVIDE: ip6fw
 # REQUIRE: routing
-# BEFORE: network_ipv6
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: ipfilter
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/ipfilter,v
retrieving revision 1.26
diff -u -r1.26 ipfilter
--- ipfilter    31 Dec 2006 10:37:18 -0000      1.26
+++ ipfilter    17 Mar 2007 21:15:21 -0000
@@ -6,7 +6,6 @@
 
 # PROVIDE: ipfilter
 # REQUIRE: root mountcritlocal
-# BEFORE:  netif
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: ipfs
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/ipfs,v
retrieving revision 1.6
diff -u -r1.6 ipfs
--- ipfs        7 Oct 2004 13:55:26 -0000       1.6
+++ ipfs        17 Mar 2007 21:15:43 -0000
@@ -6,7 +6,6 @@
 
 # PROVIDE: ipfs
 # REQUIRE: ipnat
-# BEFORE:  netif
 # KEYWORD: nojail shutdown
 
 . /etc/rc.subr
Index: ipfw
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/ipfw,v
retrieving revision 1.14
diff -u -r1.14 ipfw
--- ipfw        31 Dec 2006 10:37:18 -0000      1.14
+++ ipfw        17 Mar 2007 21:31:21 -0000
@@ -4,8 +4,7 @@
 #
 
 # PROVIDE: ipfw
-# REQUIRE: ppp
-# BEFORE: NETWORKING
+# REQUIRE: root mountcritlocal
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: ipnat
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/ipnat,v
retrieving revision 1.15
diff -u -r1.15 ipnat
--- ipnat       31 Dec 2006 10:37:18 -0000      1.15
+++ ipnat       17 Mar 2007 21:15:29 -0000
@@ -6,7 +6,6 @@
 
 # PROVIDE: ipnat
 # REQUIRE: ipfilter
-# BEFORE:  DAEMON netif
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: netif
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/netif,v
retrieving revision 1.22
diff -u -r1.22 netif
--- netif       9 Feb 2007 12:11:26 -0000       1.22
+++ netif       17 Mar 2007 23:04:21 -0000
@@ -26,7 +26,8 @@
 #
 
 # PROVIDE: netif
-# REQUIRE: atm1 ipfilter mountcritlocal serial sppp sysctl
+# REQUIRE: atm1 mountcritlocal serial sppp sysctl
+# REQUIRE: ipfilter ipfs pf ipfw
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: network_ipv6
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/network_ipv6,v
retrieving revision 1.37
diff -u -r1.37 network_ipv6
--- network_ipv6        7 Oct 2004 13:55:26 -0000       1.37
+++ network_ipv6        17 Mar 2007 21:20:18 -0000
@@ -29,7 +29,7 @@
 #
 
 # PROVIDE: network_ipv6
-# REQUIRE: routing
+# REQUIRE: routing ip6fw
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: pf
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/pf,v
retrieving revision 1.14
diff -u -r1.14 pf
--- pf  31 Dec 2006 10:37:18 -0000      1.14
+++ pf  17 Mar 2007 21:18:13 -0000
@@ -4,8 +4,7 @@
 #
 
 # PROVIDE: pf
-# REQUIRE: root mountcritlocal netif pflog pfsync
-# BEFORE:  routing
+# REQUIRE: root mountcritlocal pflog pfsync
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: pflog
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/pflog,v
retrieving revision 1.10
diff -u -r1.10 pflog
--- pflog       31 Dec 2006 10:37:18 -0000      1.10
+++ pflog       17 Mar 2007 21:18:21 -0000
@@ -4,7 +4,7 @@
 #
 
 # PROVIDE: pflog
-# REQUIRE: root mountcritlocal netif cleanvar
+# REQUIRE: root mountcritlocal cleanvar
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: pfsync
===================================================================
RCS file: /usr/local/ncvs/src/etc/rc.d/pfsync,v
retrieving revision 1.2
diff -u -r1.2 pfsync
--- pfsync      31 Dec 2006 10:37:18 -0000      1.2
+++ pfsync      17 Mar 2007 21:18:33 -0000
@@ -4,7 +4,7 @@
 #
 
 # PROVIDE: pfsync
-# REQUIRE: root mountcritlocal netif
+# REQUIRE: root mountcritlocal
 # KEYWORD: nojail
 
 . /etc/rc.subr

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: rc.order wrong (ipfw)

Reply via email to