Subject: Re: pf doesn't start normally anymore
To: Martin Husemann <martin@duskware.de>
From: mouss <usebsd@free.fr>
List: tech-security
Date: 08/18/2005 02:55:13
Martin Husemann a écrit :

>On Tue, Aug 16, 2005 at 05:16:41PM +0200, mouss wrote:
>  
>
>>the interfaces are already configured by "network", so it is trivial to 
>>add ifconfig down. and at worst:
>>   for if in `ifconfig -l`; do ifconfig $if down; done
>>then do the opposite after security is "ok".
>>    
>>
>
>That would not work on several routers here - they configure for example
>gre tunnels that should not automagically go up.
>  
>
that was just an example. consider this
# cat /etc/netaddr
ex0 10.1.2.3 255.0.0.0 static ...
..                                   gre ...

then
while read iface ip mask type ...; do
  if ["$type" = "gre" ]; then
    # ignore .
...


>Some interfaces do not have IPs (or the right IP) before they are realy UP
>(think PPP).
>  
>
well, nothing is perfect. if an interface needs to be configured via the 
network, and the default policy is to block anything before interfaces 
are configured, then that one will never get configured.