conf/96343: [patch] rc.d order change to start inet6 before pf
Bruce Cran
bruce at cran.org.uk
Wed Dec 31 05:20:05 UTC 2008
The following reply was made to PR conf/96343; it has been noted by GNATS.
From: Bruce Cran <bruce at cran.org.uk>
To: bug-followup at FreeBSD.org, michael at gargantuan.com
Cc:
Subject: Re: conf/96343: [patch] rc.d order change to start inet6 before pf
Date: Wed, 31 Dec 2008 05:19:04 +0000
[http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/96343]
Ideally the firewall should be started before any interfaces become
active to avoid the possibility for an attacker to get in between the
interface being active and the firewall being turned on; on 8-CURRENT
the startup procedure has been changed so that this is the case. It
should be possible to make pf work by for example changing
pass ... on re0 from any to re0 ...
to
pass ... on re0 from any to (re0) ...
With the second line, pf now doesn't require re0 to have an IP address
in order to load the firewall rules.
--
Bruce Cran
More information about the freebsd-rc
mailing list