On Fri, Jul 4, 2008 at 4:32 AM, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
> On Thu, Jul 03, 2008 at 08:55:21AM -0700, Kian Mohageri wrote:
>> On Wed, Jul 2, 2008 at 5:39 PM, Stef <[EMAIL PROTECTED]> wrote:
>> > Kian Mohageri wrote:
>> >> On Sun, Ma
On Wed, Jul 2, 2008 at 5:39 PM, Stef <[EMAIL PROTECTED]> wrote:
> Kian Mohageri wrote:
>> On Sun, May 18, 2008 at 3:33 AM, Johan Ström <[EMAIL PROTECTED]> wrote:
>>> On May 18, 2008, at 9:19 AM, Matthew Seaman wrote:
>>>
>>>> Johan Ström wrote:
&g
On Sun, May 18, 2008 at 3:33 AM, Johan Ström <[EMAIL PROTECTED]> wrote:
> On May 18, 2008, at 9:19 AM, Matthew Seaman wrote:
>
>> Johan Ström wrote:
>>
>>> drop all traffic)? A check with pfctl -vsr reveals that the actual rule
>>> inserted is "pass on lo0 inet from 123.123.123.123 to 123.123.123.1
Doug Barton wrote:
> I believe (for whatever that's worth) that firewalls (and firewall
> rules) _should_ be loaded prior to the interfaces coming up. If someone
> wants to have dynamic rules, rules that rely on name resolution, or
> rules for non-physical (e.g., cloned) interfaces, that's fine, bu
Doug Barton wrote:
> That said, if the issues of needing to resolve hostnames and set up
> rules for cloned interfaces are a universal problem (and it seems that
> they are) then perhaps rather than customizing a solution for pf it
> might be worthwhile to have a more generic "firewalls_late" scrip
Doug Barton wrote:
>
> If it's reasonable to conclude that we want all the firewalls to start
> before netif, I see two ways to accomplish that. One would be to have
> netif REQUIRE ipfilter, pf, and ipfw. In some ways I think this is
> cleaner, but netif already has a pretty long REQUIRE line. The
