[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: initial pf-rules -> sysctl -> networking

To: misc@openbsd.org
Subject: Re: initial pf-rules -> sysctl -> networking
From: Han Boetes <han@mijncomputer.nl>
Date: Sun, 2 Nov 2003 23:07:43 +0059
Content-Disposition: inline
Mail-Followup-To: misc@openbsd.org
References: <20031102194243.GC32117@boetes.org> <20031102212913.GP6502@othin.ninehells.com>
User-Agent: Mutt/1.5.4i

Peter H. Coffin wrote:
> On Sun, Nov 02, 2003 at 08:42:21PM +0100, Han Boetes wrote:
> > In /etc/rc first the initial pf-rules are loaded and then the
> > sysctls are loaded and then networking is started.
> > It seems to be more logical to first load the sysctl, then load the
> > initial pf-rules and then networking is started.
> >
> > So what's the practical reason for this order?
>
> Sysctl controls kernel routing, right? Perhaps networking is already on for
> some reason, and sysctl gets turned on, leaving a window of un-pf'ed
> routing happening until the pf ruleset is loaded. That might be a
> potential exposure.

No, networking is not enabled before networking is enabled. It doesn't
really make sense what you are saying here.


> What would be your gain were sysctl to happen prior to pf-rules being
> loaded?

It seems more logical to me. Ow, I already said that.




# Han

References:
- initial pf-rules -> sysctl -> networking
  - From: Han Boetes <han@mijncomputer.nl>
- Re: initial pf-rules -> sysctl -> networking
  - From: "Peter H. Coffin" <hellsop@ninehells.com>

Prev by Date: tcptraceroute port not functioning property?
Next by Date: Getting Ctrl+Alt+Backspace to work with new X
Prev by thread: Re: initial pf-rules -> sysctl -> networking
Next by thread: Re: initial pf-rules -> sysctl -> networking
Index(es):
- Date
- Thread