Up to [cvs.NetBSD.org] / src / etc / rc.d
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: netbsd-3-1-1-RELEASE
Revision 1.3.2.3 / (download) - annotate - [select for diffs], Fri Sep 2 12:29:37 2005 UTC (18 years, 7 months ago) by tron
Branch: netbsd-3
CVS Tags: netbsd-3-1-RELEASE,
netbsd-3-1-RC4,
netbsd-3-1-RC3,
netbsd-3-1-RC2,
netbsd-3-1-RC1,
netbsd-3-1-1-RELEASE,
netbsd-3-1,
netbsd-3-0-RELEASE,
netbsd-3-0-RC6,
netbsd-3-0-RC5,
netbsd-3-0-RC4,
netbsd-3-0-RC3,
netbsd-3-0-RC2,
netbsd-3-0-RC1,
netbsd-3-0-3-RELEASE,
netbsd-3-0-2-RELEASE,
netbsd-3-0-1-RELEASE,
netbsd-3-0
Changes since 1.3.2.2: +8 -3
lines
Diff to previous 1.3.2.2 (colored) to branchpoint 1.3 (colored) next main 1.4 (colored)
Pull up following revision(s) (requested by peter in ticket #717): usr.sbin/pf/man/man5/pf.boot.conf.5: revision 1.1 usr.sbin/postinstall/postinstall: revision 1.4 etc/rc.d/pf: revision 1.6 etc/rc.d/pf_boot: revision 1.1 usr.sbin/pf/etc/defaults/pf.boot.conf: revision 1.1 usr.sbin/pf/Makefile: revision 1.7 etc/rc.d/Makefile: revision 1.52 etc/mtree/special: revision 1.89 usr.sbin/pf/man/man5/Makefile: revision 1.5 usr.sbin/pf/etc/defaults/Makefile: revision 1.1 pf needs to be started after the network is up, because some pf rules derive IP address(es) from the interface (e.g "... from any to fxp0"). This however, creates window for possible attacks from the network. Implement the solution proposed by YAMAMOTO Takashi: Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot script before starting the network. People who don't like the default rules can override it with their own /etc/pf.boot.conf. The default rules have been obtained from OpenBSD. No objections on: tech-security