rc.order wrong (ipfw)

[Kian Mohageri]

Doug Barton wrote:
> I believe (for whatever that's worth) that firewalls (and firewall
> rules) _should_ be loaded prior to the interfaces coming up. If someone
> wants to have dynamic rules, rules that rely on name resolution, or
> rules for non-physical (e.g., cloned) interfaces, that's fine, but IMO
> those are the exception, not the rule. Furthermore (and I'm betraying a
> prejudice here) I think that firewall rules that rely on name resolution
> are absolutely nuts, and I say that with many years of experience as a
> professional DNS and system administrator.
> 

Agreed.  FQDNs in a ruleset is a pretty stupid idea.  I guess I also
agree with the reasoning that changing the common case as little as
possible is good.

> Therefore I believe strongly that the default behavior should be changed
> to load all firewalls (and rules) before netif, and that those who want
> to do firewall-related things that require netif or routing to be up
> should be the ones who have to opt in to the new script. That said, I
> think you and I have expressed our opinions pretty clearly on these
> points, so I'd suggest that we let someone else have a turn.


After re-reading your original idea, I think I understand a little
better what you mean to do.  For clarification, are you proposing that
the [early] firewall scripts do nothing if firewall_late_enable=YES, and
then have all firewalling taken care of later in the boot process (i.e.
post-networking) by firewall_late?

I think I might have misunderstood your original proposal:)

-Kian