PF in /etc/rc.d: some issues

Max Laier max at love2party.net
Thu Sep 22 05:12:27 PDT 2005 

On Thursday 22 September 2005 13:20, Yar Tikhiy wrote:
> Hi there,
>
> I think we have a couple of issues regarding PF set-up during the
> system boot process.

I'm pretty sure we do - unfortunately.

> First, in the presence of vlan's or other dynamic interfaces it can
> be hard to ensure that pfsync0 will appear after its syncdev on the
> final list of interfaces built inside /etc/network.subr from several
> rc.conf variables and other sources.  Consequently, pfsync0 won't
> get up because it is configured before its syncdev is up and running.
> IMHO, this problem can be addressed by creating a separate rcNG script
> for pfsync, which I already did in my systems using PF (see below.)

Sounds reasonable, but put at least an additional $pfsync_ifconfig_flags at 
the end of the ifconfig so that people can specify maxupd.  pfsync.4 needs to 
be updated for this as well.

> Second, /etc/rc.d/pf script starts before DAEMON and LOGIN, which
> is too late IMHO.  Can we make it start before "routing"?  In an
> ideal world, a firewall should start before "netif", but I'm unsure
> if PF can start when not all interfaces mentioned in pf.conf are
> present in the system yet.

The only remaining problem (that I know of) is "set loginterface" on a 
non-existing interface.  Everything else should be taken care of by now.  
This late startup was in fact a bandaid to get things working back then, but 
the problems have been shaken out and now that "set loginterface" is more or 
less obsolete by $pfctl -vsI -i <interface> anyway, we could move it back to 
where it belongs.  I'd like to keep that change in HEAD for the time being, 
however.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050922/7515ed07/attachment.bin

More information about the freebsd-pf mailing list