Subject: pf's rc.d script & startup priority
To: Peter Postma <peter@netbsd.org>
From: Luke Mewburn <lukem@NetBSD.org>
List: tech-security
Date: 08/08/2005 09:02:57
--WK3l2KTTmXPVedZ6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Hi Peter:
I noticed a couple of issues in the rc.d/pf script
(as compared to rc.d/ipfilter).
* rc.d/pf starts much later than rc.d/ipfilter.
* rc.d/pf doesn't abort the boot if the startup failed.
This raises the questions about rc.d/pf:
1. Should it be moved in the rcorder to a similar location
to rc.d/ipfilter?
Does rc.d/pf rely upon /usr as part of its startup?
I don't think it does, unless pfspamd [from pkgsrc?]
or other /usr-located programs are needed by pf.
2. Should it be modified to abort the boot if the firewall
rules can't be loaded (a la rc.d/ipfilter) ?
[The rationale for this behaviour can be found
in the mailing list archives; exactly when I can't recall].
Cheers,
Luke.
--WK3l2KTTmXPVedZ6
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)
iD8DBQFC9pMhpBhtmn8zJHIRAguqAKDAfIwZuSdzpy+aruvtjnvu2H1SUwCgrf9q
bRPrs0VzcWCpm1Sjw+6NXyk=
=sgHT
-----END PGP SIGNATURE-----
--WK3l2KTTmXPVedZ6--