rc.order wrong (ipfw)

Mike Telahun Makonnen mmakonnen at gmail.com
Mon Mar 19 06:46:18 UTC 2007 

Hi guys,

Long time no see :P

I don't have anything to say directly about this issue (other than
that I'm leaning towards Doug's reasoning on this) but I'm working on
a patch to integrate IPv6 handling into rc.d/netif, which might
indirectly have a bearing on this discussion. I'm currently testing
the patch. I'll post it to the list as soon as I'm fairly certain it
doesn't break anything too much. In my patch, IPv6 is configured in
rc.d/netif right after IPv4. In general terms it goes something like
this:
   o General net configuration (cloning, renaming, etc)
   o General pre-IPv6 configuration
   o Get list of all interfaces
   o For each interface:
      - Configure IPv4
      - Configure IPv6
         - Static configuration
         - rtsol
         - aliases
   o General post-IPv6 configuration

I think that up until now the separation of general interface
configuration and IPv6 configuration has complicated the ordering of
routing and firewall scripts. Hopefully, the patch will remove some of
those complications. I'll get back to you with the patch in the next
couple of days.


Cheers,
Mike.

On 3/19/07, Doug Barton <dougb at freebsd.org> wrote:
> Kian Mohageri wrote:
>
> > I agree VERY MUCH with this sort of approach.  It would be a much
> > cleaner solution than completely separate handling of all of these
> > different problems.  I'm trying to get an idea of what all of the major
> > problems with the current order are, and these are the ones I'm aware of:
> >
> > - ipfw blocks by default (names unresolvable, rtsol breaks)
> > - ipf/pf pass by default (services are unprotected)
> >
> > I think a firewall_boot script (similar to what you've proposed) could
> > potentially solve all of these problems.
>
> I'm glad that you like the idea in principal, however I'm sorry to say
> that I don't see eye to eye with your suggestion of modifying the
> early behavior instead of the late behavior.
>
> I believe (for whatever that's worth) that firewalls (and firewall
> rules) _should_ be loaded prior to the interfaces coming up. If
> someone wants to have dynamic rules, rules that rely on name
> resolution, or rules for non-physical (e.g., cloned) interfaces,
> that's fine, but IMO those are the exception, not the rule.
> Furthermore (and I'm betraying a prejudice here) I think that firewall
> rules that rely on name resolution are absolutely nuts, and I say that
> with many years of experience as a professional DNS and system
> administrator.
>
> Therefore I believe strongly that the default behavior should be
> changed to load all firewalls (and rules) before netif, and that those
> who want to do firewall-related things that require netif or routing
> to be up should be the ones who have to opt in to the new script. That
> said, I think you and I have expressed our opinions pretty clearly on
> these points, so I'd suggest that we let someone else have a turn.
>
> Doug
>
> --
>
>      This .signature sanitized for your protection
> _______________________________________________
> freebsd-rc at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-rc
> To unsubscribe, send any mail to "freebsd-rc-unsubscribe at freebsd.org"
>

More information about the freebsd-rc mailing list