Re: boot order (bringing up interaces and ipf)

[ryc <ryc@mail.utexas.edu>]

Changing the rules to read "from any to any" changes the meaning of the
rules. I want to block traffic from the outside interface (ne0) to these
ports, and I want to allow traffic from the other interfaces. Hence the use
of the interface name. Do you have any other ideas?

ryan

> Change your rules to read "from any to any".
>
>
> ----- Original Message -----
> From: "ryc" <ryc@mail.utexas.edu>
> To: <misc@openbsd.org>
> Sent: Saturday, June 30, 2001 10:02 PM
> Subject: boot order (bringing up interaces and ipf)
>
>
> > I ran into a problem and I am not sure what would be the best way to
> fix
> > this (OpenBSD 2.9). My problem is that on bootup ipf has an empty set
> of
> > rules besides pass in from any to any.. ect.. My internet interface is
> > configured via dhcp, and is not static. Some of my firewall rules
> contain
> > the interface name in them as such:
> >
> > block return-rst in log quick on ne0 proto tcp from any to ne0/32 port
> = X
> >
> > (where ne0 is the interface configured via dhcp)
> >
> > The problem is that on boot ipf is loaded before the interfaces are
> > configured... So ipf pukes when trying to load its rules, and when the
> box
> > finishes booting the rules are not active (I dont remember the error
> message
> > ipf says, but I will go get it from the terminal if anyone wants it).
> >
> > I can see why ipf is configured before the interfaces, but doing it
> this way
> > screws up my rules.
> >
> > Is there a better way to to write the rules so ipf will load them
> without
> > the interface having an ip address? Should I just reload the rules in
> > rc.local? Any ideas?
> >
> > Thanks,
> > ryan