pfsync rc script breaks pfsync on cloned interfaces

[Ian FREISLICH]

Doug Barton wrote:
> I have reverted the change that caused pf and ipfw to appear before
> netif in the rcorder. While I still feel strongly that it is the
> "right thing" to configure the firewalls first, the changes caused too
> many problems for too many users, and it's too late in the release
> cycle to make a change like this that has significant side effects.

Then, what is required is the creation of (cloned) interfaces to
be seperated from assigning them addresses.  But even that is
insufficient because pf.conf allows "interface:network" etc wich
expands to the networks on an interface.  Unlike ipfw which walks
the ifnet structure to compare addresses, if at the time of firewall
configuration, the interface has no address, then the rule will
expand to have no address.

> ipfw it's not quite as urgent since by default it does not pass
> packets till it is configured. This is not the case with pf, as its
> default is wide open until it is configured.

I put it to you that users of pf know that it starts with default
allow and changing this will result in a POLA violation.

Ian

--
Ian Freislich