-E flag in /etc/rc.d/ipfilter causes warnings
Fred Souza
fred at storming.org
Tue Jun 17 04:03:31 PDT 2003
> I believe it's harmless, and while not aesthetically pleasing, it's a necessary
> work-around. The stop command to rc.d/ipfilter uses -D to disable ipfilter, so
> it's necessary to use -E with the start command because there's no way to know
> how/when/why/in-what-environment it's being called. If I'm wrong or you have a
> better alternative to this please let me know.
Yes, you understood the manpage right and no, I don't think there's a
better way to detect that. This is something I've thought about and
couldn't come up with a better solution, either. But there's another
"issue" about /etc/rc.d/ipfilter that has a work-around: IPv6 support.
The current script just fires ipf and then ipf -6, whether you have
IPv6 support or not.
I don't know the purpose of this, since grepping /etc/rc* and
/etc/rc.d/* for it doesn't return anything, but there's this line in
/etc/defaults/rc.conf:
ipv6_enable="NO" # Set to YES to set up for IPv6.
So, assuming there *is* a reason for that variable, I changed my
/etc/rc.d/ipfilter a bit so it respects that (although only in
ipfilter_start()):
case ${OSTYPE} in
FreeBSD)
${ipfilter_program:-/sbin/ipf} -Fa
if [ -r "${ipfilter_rules}" ]; then
${ipfilter_program:-/sbin/ipf} \
-f "${ipfilter_rules}" ${ipfilter_flags}
fi
case ${ipv6_enable} in
[Yy][Ee][Ss])
${ipfilter_program:-/sbin/ipf} -6 -Fa
if [ -r "${ipv6_ipfilter_rules}" ]; then
${ipfilter_program:-/sbin/ipf} -6 \
-f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
fi
;;
esac
;;
Should that be the default, or am I missing anything here?
Fred
--
"They're only trying to make me LOOK paranoid!"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20030617/a84b922c/attachment.bin
More information about the freebsd-current
mailing list