Hi guys,
Long time no see :P
I don't have anything to say directly about this issue (other than
that I'm leaning towards Doug's reasoning on this) but I'm working on
a patch to integrate IPv6 handling into rc.d/netif, which might
indirectly have a bearing on this discussion. I'm currently testing
the patch. I'll post it to the list as soon as I'm fairly certain it
doesn't break anything too much. In my patch, IPv6 is configured in
rc.d/netif right after IPv4. In general terms it goes something like
this:
o General net configuration (cloning, renaming, etc)
o General pre-IPv6 configuration
o Get list of all interfaces
o For each interface:
- Configure IPv4
- Configure IPv6
- Static configuration
- rtsol
- aliases
o General post-IPv6 configuration
I think that up until now the separation of general interface
configuration and IPv6 configuration has complicated the ordering of
routing and firewall scripts. Hopefully, the patch will remove some of
those complications. I'll get back to you with the patch in the next
couple of days.
Cheers,
Mike.
On 3/19/07, Doug Barton <[EMAIL PROTECTED]> wrote:
Kian Mohageri wrote:
> I agree VERY MUCH with this sort of approach. It would be a much
> cleaner solution than completely separate handling of all of these
> different problems. I'm trying to get an idea of what all of the major
> problems with the current order are, and these are the ones I'm aware of:
>
> - ipfw blocks by default (names unresolvable, rtsol breaks)
> - ipf/pf pass by default (services are unprotected)
>
> I think a firewall_boot script (similar to what you've proposed) could
> potentially solve all of these problems.
I'm glad that you like the idea in principal, however I'm sorry to say
that I don't see eye to eye with your suggestion of modifying the
early behavior instead of the late behavior.
I believe (for whatever that's worth) that firewalls (and firewall
rules) _should_ be loaded prior to the interfaces coming up. If
someone wants to have dynamic rules, rules that rely on name
resolution, or rules for non-physical (e.g., cloned) interfaces,
that's fine, but IMO those are the exception, not the rule.
Furthermore (and I'm betraying a prejudice here) I think that firewall
rules that rely on name resolution are absolutely nuts, and I say that
with many years of experience as a professional DNS and system
administrator.
Therefore I believe strongly that the default behavior should be
changed to load all firewalls (and rules) before netif, and that those
who want to do firewall-related things that require netif or routing
to be up should be the ones who have to opt in to the new script. That
said, I think you and I have expressed our opinions pretty clearly on
these points, so I'd suggest that we let someone else have a turn.
Doug
--
This .signature sanitized for your protection
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-rc
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
