NetBSD/usr.sbin/pf
peter 9c1da17e90 pf needs to be started after the network is up, because some pf rules
derive IP address(es) from the interface (e.g "... from any to fxp0").
This however, creates window for possible attacks from the network.

Implement the solution proposed by YAMAMOTO Takashi:
Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot
script before starting the network. People who don't like the default
rules can override it with their own /etc/pf.boot.conf.
The default rules have been obtained from OpenBSD.

No objections on: tech-security
2005-08-23 12:12:56 +00:00
..
authpf merge after importing pf from openbsd 3.6. (userland part) 2004-11-14 11:26:43 +00:00
etc pf needs to be started after the network is up, because some pf rules 2005-08-23 12:12:56 +00:00
examples Remove (pf)spamd. Its right to exist in NetBSD has been questioned since it 2005-06-27 20:32:39 +00:00
ftp-proxy Add MKIPFILTER; if set to no, don't build and install the ipf(4) programs, 2005-02-22 14:39:58 +00:00
man pf needs to be started after the network is up, because some pf rules 2005-08-23 12:12:56 +00:00
pfctl merge after importing pf from openbsd 3.6. (userland part) 2004-11-14 11:26:43 +00:00
pflogd Change BINDIR to /sbin and support MKDYNAMICROOT. 2005-03-15 17:45:11 +00:00
compat_openbsd.h Add a small replacement for strtonum(). 2005-03-15 16:28:29 +00:00
Makefile pf needs to be started after the network is up, because some pf rules 2005-08-23 12:12:56 +00:00
Makefile.inc don't use variable arg macro, which is not supported by gcc2. 2004-11-16 05:14:12 +00:00