> "Doug" == Doug Barton <[EMAIL PROTECTED]> writes:
Doug> Kian Mohageri wrote:
>> I agree VERY MUCH with this sort of approach. It would be a much
>> cleaner solution than completely separate handling of all of these
>> different problems. I'm trying to get an idea of what all of the
>> majo
Kian Mohageri wrote:
After re-reading your original idea, I think I understand a little
better what you mean to do. For clarification, are you proposing that
the [early] firewall scripts do nothing if firewall_late_enable=YES, and
then have all firewalling taken care of later in the boot proces
> Therefore I believe strongly that the default behavior should be
> changed to load all firewalls (and rules) before netif, and that those
> who want to do firewall-related things that require netif or routing
> to be up should be the ones who have to opt in to the new script. That
> said, I
Doug Barton wrote:
> I believe (for whatever that's worth) that firewalls (and firewall
> rules) _should_ be loaded prior to the interfaces coming up. If someone
> wants to have dynamic rules, rules that rely on name resolution, or
> rules for non-physical (e.g., cloned) interfaces, that's fine, bu
Hi guys,
Long time no see :P
I don't have anything to say directly about this issue (other than
that I'm leaning towards Doug's reasoning on this) but I'm working on
a patch to integrate IPv6 handling into rc.d/netif, which might
indirectly have a bearing on this discussion. I'm currently testin
Kian Mohageri wrote:
I agree VERY MUCH with this sort of approach. It would be a much
cleaner solution than completely separate handling of all of these
different problems. I'm trying to get an idea of what all of the major
problems with the current order are, and these are the ones I'm aware
Doug Barton wrote:
> That said, if the issues of needing to resolve hostnames and set up
> rules for cloned interfaces are a universal problem (and it seems that
> they are) then perhaps rather than customizing a solution for pf it
> might be worthwhile to have a more generic "firewalls_late" scrip
Kian Mohageri wrote:
I can't speak for ipfw, but removing the
REQUIRE: netif for pf might break some setups where the ruleset
references a cloned interface that netif creates. Correct me if I'm wrong?
Loading a minimal ruleset initially (as OpenBSD and NetBSD do) would
solve that problem, at le
Doug Barton wrote:
>
> If it's reasonable to conclude that we want all the firewalls to start
> before netif, I see two ways to accomplish that. One would be to have
> netif REQUIRE ipfilter, pf, and ipfw. In some ways I think this is
> cleaner, but netif already has a pretty long REQUIRE line. The
[ Re-locating this thread from -stable. ]
Mark Andrews wrote:
On Saturday 17 March 2007 03:58, Mark Andrews wrote:
nothing goes to this machine because by default everything is blocked
until
you permit it
You're absolutely correct, however your original post seems to have
taken many of us by
10 matches
Mail list logo
