svn commit: r193198 - head/etc/rc.d
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Mon Jun 1 06:30:13 UTC 2009
On Mon, 1 Jun 2009, Doug Barton wrote:
> Author: dougb
> Date: Mon Jun 1 05:35:03 2009
> New Revision: 193198
> URL: http://svn.freebsd.org/changeset/base/193198
>
> Log:
> Make the pf and ipfw firewalls start before netif, just like ipfilter
> already does. This eliminates a logical inconsistency, and a small
> window where the system is open after the network comes up.
Unfortunetaly this is contrary to a lot of PRs and requests on mailing
lists out there that actually want the netif/network_ipv6 to be run
_before_ things come up. Espescially pf really needs this to avoid
rules that needs to do per paket lookups of the interface address.
Further ipfw has a default option being setaable at compile time and as
TUNABLE to handle this window.
--
Bjoern A. Zeeb The greatest risk is not taking one.
More information about the svn-src-head
mailing list