Doug Barton wrote:
> I believe (for whatever that's worth) that firewalls (and firewall
> rules) _should_ be loaded prior to the interfaces coming up. If someone
> wants to have dynamic rules, rules that rely on name resolution, or
> rules for non-physical (e.g., cloned) interfaces, that's fine, bu
Hi guys,
Long time no see :P
I don't have anything to say directly about this issue (other than
that I'm leaning towards Doug's reasoning on this) but I'm working on
a patch to integrate IPv6 handling into rc.d/netif, which might
indirectly have a bearing on this discussion. I'm currently testin
Kian Mohageri wrote:
I agree VERY MUCH with this sort of approach. It would be a much
cleaner solution than completely separate handling of all of these
different problems. I'm trying to get an idea of what all of the major
problems with the current order are, and these are the ones I'm aware
Doug Barton wrote:
> That said, if the issues of needing to resolve hostnames and set up
> rules for cloned interfaces are a universal problem (and it seems that
> they are) then perhaps rather than customizing a solution for pf it
> might be worthwhile to have a more generic "firewalls_late" scrip
Max Laier wrote:
On Saturday 17 March 2007 19:16, [EMAIL PROTECTED] wrote:
Can someone please explain the difference between Wireshark and
Wireshark-lite. I would like to install a packet sniffer on my FreeBSD
box for CLI only. Thanks,
What's wrong with tcpdump(8)? Other than that bui
Kian Mohageri wrote:
I can't speak for ipfw, but removing the
REQUIRE: netif for pf might break some setups where the ruleset
references a cloned interface that netif creates. Correct me if I'm wrong?
Loading a minimal ruleset initially (as OpenBSD and NetBSD do) would
solve that problem, at le
(This is FreeBSD 6.2-STABLE as of yesterday using pf and FAST_IPSEC.)
Yesterday I started to play around with enc0 in pf. I hoped I
could now control IPSEC traffic in the standard way with pf rules
but it seems that only outgoing packets hit enc0. I added a
pass quick log on enc0 all
on top of a
