[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: initial pf-rules -> sysctl -> networking

To: misc@openbsd.org
Subject: Re: initial pf-rules -> sysctl -> networking
From: "Peter H. Coffin" <hellsop@ninehells.com>
Date: Sun, 2 Nov 2003 15:29:13 -0600
Content-Disposition: inline
Mail-Followup-To: misc@openbsd.org
References: <20031102194243.GC32117@boetes.org>
User-Agent: Mutt/1.5.4i

On Sun, Nov 02, 2003 at 08:42:21PM +0100, Han Boetes wrote:
> In /etc/rc first the initial pf-rules are loaded and then the sysctls
> are loaded and then networking is started.
> It seems to be more logical to first load the sysctl, then load the
> initial pf-rules and then networking is started.
> 
> So what's the practical reason for this order?

Sysctl controls kernel routing, right? Perhaps networking is already on for
some reason, and sysctl gets turned on, leaving a window of un-pf'ed
routing happening until the pf ruleset is loaded. That might be a
potential exposure.

What would be your gain were sysctl to happen prior to pf-rules being
loaded?

-- 
Pieces of seven!  Pieces of seven!  (Hrm, parroty error)

Follow-Ups:
- Re: initial pf-rules -> sysctl -> networking
  - From: Han Boetes <han@mijncomputer.nl>

References:
- initial pf-rules -> sysctl -> networking
  - From: Han Boetes <han@mijncomputer.nl>

Prev by Date: Re: Nested macros problem in pf.conf
Next by Date: Re: Nested macros problem in pf.conf
Prev by thread: initial pf-rules -> sysctl -> networking
Next by thread: Re: initial pf-rules -> sysctl -> networking
Index(es):
- Date
- Thread