On Sep 06 13:08:33, Peter Fraser wrote:
> ntpd hangs and cannot be interrupted. The only way to continue is to do a
> hardware reset.
Doesn't it time out eventually?
> As an aside, it was on my firewall. My firewall makes use of my dns which is
> on the inside of my network, but during the booting process the pf.conf cannot
> refer to a dns name that are define on the outside.
Use IP addresses in pf.conf, not names.
> The startup pf.conf built into /etc/rc
There is no "startup pf.conf built into /etc/rc"
> allows dns requests originating from machine being booted only.
The default is to NOT run pf at all, so it allows everything.
> For an external name, my dns has to pass a request though the firewall to the
> outside dns server. That cannot be done until the system is fully booted,
Whether "the system" is the inside dns client or the firewall, this is not
necessarily true. As soon as the firewall routes packets and does NAT
correctly, inside machine can use it as a gateway (while other
processes are still starting on the firewall).
If I read /etc/rc right, pf is already running when booting gets to ntpd.
> The solutions are:
> 1) don't use any external dns names in your pf.conf
Don't use ANY names in pf.conf
> 2) have three stage bootstrap of pf,
> First stage, the code in /etc/rc
> Second stage, /etc/rc.conf.local has pf.conf to allow the inside
> nameservers to pass though
> Third stage, /etc/rc.local has code to set the final pf.conf file
No. Set pf.conf to do what you want, allow pf in rc.conf.local,
and let /etc/rc do the rest as it's supposed to.
> 3) put all external dns names in tables that have their contents
> defined in /etc/rc.local (this is the one I currently use)
That is, duplicate external DNS information locally? No.
> 4) Modify /etc/rc
Whoa, stop right here!
> to allow pass through of dns requests.
> The ones that should be allowed pass though would be the nameservers
> defined in /etc/resolv.conf (this is what I would like)
Setting up your firewall happens in pf.conf, NOT in /etc/rc.
You should never touch /etc/rc.
Jan
(You _have_ read man rc, right?)
