Doug Barton wrote: > > If it's reasonable to conclude that we want all the firewalls to start > before netif, I see two ways to accomplish that. One would be to have > netif REQUIRE ipfilter, pf, and ipfw. In some ways I think this is > cleaner, but netif already has a pretty long REQUIRE line. The other > way would be to add a new FIREWALLS placeholder for the REQUIREs I'm > suggesting above, and then have netif REQUIRE that. > > If on the other hand, there is some reason NOT to start all the > firewalls before netif, then things get more complicated. :) > >
I definitely think that firewalls should be started as early as possible, for obvious reasons. I can't speak for ipfw, but removing the REQUIRE: netif for pf might break some setups where the ruleset references a cloned interface that netif creates. Correct me if I'm wrong? Loading a minimal ruleset initially (as OpenBSD and NetBSD do) would solve that problem, at least for pf. The idea has been discussed a few times before but I didn't see it go anywhere. http://lists.freebsd.org/pipermail/freebsd-pf/2007-February/003041.html I'd love to see the rcorder for the firewalls get worked out! :) Kian _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
