[ Re-locating this thread from -stable. ]
Mark Andrews wrote:
>> On Saturday 17 March 2007 03:58, Mark Andrews
wrote:
>>
>>>>> nothing goes to this machine because by
default everything is blocked
>>>>> until
>>>>>
>>>>> you permit it
>>>> You're absolutely correct, however your
original post seems to have
>>>> taken many of us by surprise, causing some
of us (at least me!) to
>>>> assume that you've changed the default
method to allow. I'm obviously
>>>> misunderstanding, so I apologise for that,
but I hope you can see the
>>>> reasoning behind my comments with what I
knew at the time. 
>>> ipfw needs to be before networking or router
discovery
>>> fails for IPv6.
>>>
>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/108589
>>>
>>
>> as default any network connection will fail so long
as you do not permit it
>>
>> If rtsol fails or is called to early it is an rtsol
problem and not an ipfw
>> problem I guess
>>
>> named and ipfw before netif?
>
> ip6fw is before networking. ipfw is supposed to be
taking
> over from ip6fw. ipfw and ip6wf should be started at
a
> similar time.
>
> rtsol is approximately the equivalent to DHCP. The
machine is
> requesting a address from the network. It doesn't
matter if
> it is a router or a DHCP server that is suppling the
address.
>
> DHCP only works because it bypasses the firefall.
Mark,
Currently the order (with some non-networking items removed)
is:
/etc/rc.d/ipfilter
/etc/rc.d/ipnat
/etc/rc.d/ipfs
/etc/rc.d/sppp
/etc/rc.d/auto_linklocal
/etc/rc.d/pccard
/etc/rc.d/netif
/etc/rc.d/ip6addrctl
/etc/rc.d/atm2
/etc/rc.d/pfsync
/etc/rc.d/pflog
/etc/rc.d/pf
/etc/rc.d/isdnd
/etc/rc.d/ppp
/etc/rc.d/routing
/etc/rc.d/ip6fw
/etc/rc.d/network_ipv6
/etc/rc.d/ipsec
/etc/rc.d/ipfw
/etc/rc.d/nsswitch
/etc/rc.d/mroute6d
/etc/rc.d/route6d
/etc/rc.d/mrouted
/etc/rc.d/routed
/etc/rc.d/NETWORKING
ipfilter starts very early in the "late" section
of rcorder, it
requires mountcritlocal (the default early_late_divider) and
has a
BEFORE: netif.
Currently ip6fw actually starts after routing (and therefore
after
netif). Before we move it I think someone who knows more
about how
rtsol works than I do should comment. AFAICT, network_ipv6
is going to
need routing up. If ip6fw's functionality is going to be
subsumed into
ipfw, then changing ipfw to run before netif now, and nuking
ip6fw
later is probably sufficient.
If it's reasonable to conclude that we want all the
firewalls to start
before netif, I see two ways to accomplish that. One would
be to have
netif REQUIRE ipfilter, pf, and ipfw. In some ways I think
this is
cleaner, but netif already has a pretty long REQUIRE line.
The other
way would be to add a new FIREWALLS placeholder for the
REQUIREs I'm
suggesting above, and then have netif REQUIRE that.
If on the other hand, there is some reason NOT to start all
the
firewalls before netif, then things get more complicated.
The attached patch changes the rcorder to the following:
/etc/rc.d/sppp
/etc/rc.d/ipfw
/etc/rc.d/pfsync
/etc/rc.d/pflog
/etc/rc.d/pf
/etc/rc.d/ipfilter
/etc/rc.d/ipnat
/etc/rc.d/ipfs
/etc/rc.d/auto_linklocal
/etc/rc.d/serial
/etc/rc.d/netif
/etc/rc.d/ip6addrctl
/etc/rc.d/atm2
/etc/rc.d/isdnd
/etc/rc.d/ppp
/etc/rc.d/routing
/etc/rc.d/ip6fw
/etc/rc.d/network_ipv6
/etc/rc.d/ipsec
/etc/rc.d/nsswitch
/etc/rc.d/mroute6d
/etc/rc.d/route6d
/etc/rc.d/mrouted
/etc/rc.d/routed
/etc/rc.d/NETWORKING
Thoughts?
Doug
--
This .signature sanitized for your protection
_______________________________________________
freebsd-net freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to
"freebsd-net-unsubscribefreebsd.org"
|
