Subject: Re: pf's rc.d script & startup priority
To: Luke Mewburn <>
From: Peter Postma <>
List: tech-security
Date: 08/08/2005 02:14:01
On Mon, Aug 08, 2005 at 09:02:57AM +1000, Luke Mewburn wrote:
> Hi Peter:
> I noticed a couple of issues in the rc.d/pf script
> (as compared to rc.d/ipfilter).
>     *	rc.d/pf starts much later than rc.d/ipfilter.
>     *	rc.d/pf doesn't abort the boot if the startup failed.
> This raises the questions about rc.d/pf:
>     1.	Should it be moved in the rcorder to a similar location
> 	to rc.d/ipfilter?

Yes, that's a good idea. It's now started after some daemons are already up
and that's way too late.

> 	Does rc.d/pf rely upon /usr as part of its startup?
> 	I don't think it does, unless pfspamd [from pkgsrc?]
> 	or other /usr-located programs are needed by pf.

Yes, if used as LKM. But if we start it after the LKMs then it should be

I've tried the REQUIRE line from the ipfilter script in the pf script but it
still gets ordered too late. Do you have a suggestion?

>     2.	Should it be modified to abort the boot if the firewall
> 	rules can't be loaded (a la rc.d/ipfilter) ?
> 	[The rationale for this behaviour can be found
> 	in the mailing list archives; exactly when I can't recall].

Good idea too, we should do that. It's nice when both scripts behave the

Peter Postma