PF in /etc/rc.d: some issues
Yar Tikhiy
yar at comp.chem.msu.su
Thu Sep 22 04:20:27 PDT 2005
Hi there,
I think we have a couple of issues regarding PF set-up during the
system boot process.
First, in the presence of vlan's or other dynamic interfaces it can
be hard to ensure that pfsync0 will appear after its syncdev on the
final list of interfaces built inside /etc/network.subr from several
rc.conf variables and other sources. Consequently, pfsync0 won't
get up because it is configured before its syncdev is up and running.
IMHO, this problem can be addressed by creating a separate rcNG script
for pfsync, which I already did in my systems using PF (see below.)
Second, /etc/rc.d/pf script starts before DAEMON and LOGIN, which
is too late IMHO. Can we make it start before "routing"? In an
ideal world, a firewall should start before "netif", but I'm unsure
if PF can start when not all interfaces mentioned in pf.conf are
present in the system yet.
--
Yar
%%%
#!/bin/sh
# PROVIDE: pfsync
# REQUIRE: root mountcritlocal netif
# KEYWORD: nojail
. /etc/rc.subr
name="pfsync"
rcvar=`set_rcvar`
start_precmd="pfsync_prestart"
start_cmd="pfsync_start"
stop_cmd="pfsync_stop"
load_rc_config "$name"
pfsync_if=${pfsync_if:-"pfsync0"}
pfsync_prestart()
{
case "$pfsync_syncdev" in
'')
warn "pfsync_syncdev is not set, nothing done"
return 1
;;
esac
return 0
}
pfsync_start()
{
echo "Enabling pfsync."
ifconfig "$pfsync_if" syncdev "$pfsync_syncdev" up
}
pfsync_stop()
{
echo "Disabling pfsync."
ifconfig "$pfsync_if" -syncdev down
}
load_rc_config "$name"
run_rc_command "$1"
More information about the freebsd-pf
mailing list