tech-security: pf's rc.d script & startup priority

Subject: pf's rc.d script & startup priority
To: Peter Postma <peter@netbsd.org>
From: Luke Mewburn <lukem@NetBSD.org>
List: tech-security
Date: 08/08/2005 09:02:57

--WK3l2KTTmXPVedZ6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi Peter:

I noticed a couple of issues in the rc.d/pf script
(as compared to rc.d/ipfilter).

    *	rc.d/pf starts much later than rc.d/ipfilter.


    *	rc.d/pf doesn't abort the boot if the startup failed.


This raises the questions about rc.d/pf:

    1.	Should it be moved in the rcorder to a similar location
	to rc.d/ipfilter?

	Does rc.d/pf rely upon /usr as part of its startup?
	I don't think it does, unless pfspamd [from pkgsrc?]
	or other /usr-located programs are needed by pf.


    2.	Should it be modified to abort the boot if the firewall
	rules can't be loaded (a la rc.d/ipfilter) ?

	[The rationale for this behaviour can be found
	in the mailing list archives; exactly when I can't recall].


Cheers,
Luke.

--WK3l2KTTmXPVedZ6
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)

iD8DBQFC9pMhpBhtmn8zJHIRAguqAKDAfIwZuSdzpy+aruvtjnvu2H1SUwCgrf9q
bRPrs0VzcWCpm1Sjw+6NXyk=
=sgHT
-----END PGP SIGNATURE-----

--WK3l2KTTmXPVedZ6--