Doug Barton wrote: > I believe (for whatever that's worth) that firewalls (and firewall > rules) _should_ be loaded prior to the interfaces coming up. If someone > wants to have dynamic rules, rules that rely on name resolution, or > rules for non-physical (e.g., cloned) interfaces, that's fine, but IMO > those are the exception, not the rule. Furthermore (and I'm betraying a > prejudice here) I think that firewall rules that rely on name resolution > are absolutely nuts, and I say that with many years of experience as a > professional DNS and system administrator. >
Agreed. FQDNs in a ruleset is a pretty stupid idea. I guess I also agree with the reasoning that changing the common case as little as possible is good. > Therefore I believe strongly that the default behavior should be changed > to load all firewalls (and rules) before netif, and that those who want > to do firewall-related things that require netif or routing to be up > should be the ones who have to opt in to the new script. That said, I > think you and I have expressed our opinions pretty clearly on these > points, so I'd suggest that we let someone else have a turn. After re-reading your original idea, I think I understand a little better what you mean to do. For clarification, are you proposing that the [early] firewall scripts do nothing if firewall_late_enable=YES, and then have all firewalling taken care of later in the boot process (i.e. post-networking) by firewall_late? I think I might have misunderstood your original proposal:) -Kian _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
