NetBSD/etc/rc.d
peter 9c1da17e90 pf needs to be started after the network is up, because some pf rules
derive IP address(es) from the interface (e.g "... from any to fxp0").
This however, creates window for possible attacks from the network.

Implement the solution proposed by YAMAMOTO Takashi:
Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot
script before starting the network. People who don't like the default
rules can override it with their own /etc/pf.boot.conf.
The default rules have been obtained from OpenBSD.

No objections on: tech-security
2005-08-23 12:12:56 +00:00
..
accounting Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
altqd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
amd Use 'load_rc_config_var CMD VAR' to set VAR for "foreign" rc.conf(5) 2004-10-12 14:51:03 +00:00
apmd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
bootconf.sh Use new style command substitution. 2004-10-11 15:00:51 +00:00
bootparams Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
ccd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
cgd Revert previous, for now. We don't umount filesystems in the shutdown 2005-03-02 19:09:22 +00:00
cleartmp Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
cron Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
DAEMON Correct the "direction" of the barrier dependencies (DAEMON, LOGIN, 2002-03-22 04:33:57 +00:00
dhclient Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
dhcpd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
dhcrelay Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
dmesg Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
downinterfaces Use new style command substitution. 2004-10-11 15:00:51 +00:00
fixsb Add a missing space in a comment 2004-12-30 09:32:13 +00:00
fsck Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
ftpd Add command_args="-D" to the ftpd rc.d script. This flag is always needed 2005-08-09 14:59:33 +00:00
identd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
ifwatchd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
inetd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
ipfilter * Conditionalize flushing of IPv4 vs IPv6 rules based on the existance 2004-12-23 03:31:54 +00:00
ipfs Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
ipmon Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
ipnat Use 'load_rc_config_var CMD VAR' to set VAR for "foreign" rc.conf(5) 2004-10-12 14:51:03 +00:00
ipsec Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
isdnd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
kdc Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
ldconfig Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
lkm1 Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
lkm2 Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
lkm3 Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
local Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
LOGIN Correct the "direction" of the barrier dependencies (DAEMON, LOGIN, 2002-03-22 04:33:57 +00:00
lpd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
Makefile pf needs to be started after the network is up, because some pf rules 2005-08-23 12:12:56 +00:00
mixerctl Use new style command substitution. 2004-10-11 15:00:51 +00:00
mopd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
motd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
mountall Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
mountcritlocal Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
mountcritremote Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
mountd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
moused Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
mrouted Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
named Improve on the migration bit. Check if files are different, and if not, 2005-07-17 21:28:45 +00:00
ndbootd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
network PR/29317: ifconfig.if does not allow parameters with spaces 2005-06-28 13:36:40 +00:00
NETWORKING Correct the "direction" of the barrier dependencies (DAEMON, LOGIN, 2002-03-22 04:33:57 +00:00
newsyslog Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
nfsd Use 'load_rc_config_var CMD VAR' to set VAR for "foreign" rc.conf(5) 2004-10-12 14:51:03 +00:00
nfslocking Use 'load_rc_config_var CMD VAR' to set VAR for "foreign" rc.conf(5) 2004-10-12 14:51:03 +00:00
ntpd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
ntpdate Explicitly REQUIRE mountcritremote, since this uses awk. 2005-03-15 12:06:12 +00:00
pf pf needs to be started after the network is up, because some pf rules 2005-08-23 12:12:56 +00:00
pf_boot pf needs to be started after the network is up, because some pf rules 2005-08-23 12:12:56 +00:00
pflogd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
poffd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
postfix Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
powerd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
ppp Use new style command substitution. 2004-10-11 15:00:51 +00:00
pwcheck Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
quota Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
racoon Add the `shutdown' keyword, giving racoon a chance to flush the SAD 2004-12-07 17:37:15 +00:00
raidframe Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
raidframeparity Use new style command substitution. 2004-10-11 15:00:51 +00:00
rarpd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
rbootd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
root Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
route6d Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
routed Use 'load_rc_config_var CMD VAR' to set VAR for "foreign" rc.conf(5) 2004-10-12 14:51:03 +00:00
rpcbind Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
rtadvd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
rtclocaltime Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
rtsold Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
rwho Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
savecore Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
screenblank Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
securelevel Use new style command substitution. 2004-10-11 15:00:51 +00:00
sendmail Quieten stat(1) with the -q flag. 2004-08-19 04:44:10 +00:00
SERVERS Correct the "direction" of the barrier dependencies (DAEMON, LOGIN, 2002-03-22 04:33:57 +00:00
smmsp Use 'load_rc_config_var CMD VAR' to set VAR for "foreign" rc.conf(5) 2004-10-12 14:51:03 +00:00
sshd Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
staticroute Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
swap1 Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
swap2 Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
sysctl Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
sysdb Fix for /bin/ksh, from Jukka Salmi in PR 27232. 2004-10-12 13:23:44 +00:00
syslogd Use load_rc_config basename chrootdirscript in a subshell to determine 2004-10-11 13:29:52 +00:00
timed Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
tpctl Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
ttys Don't try to chmod ptys if we have none. 2004-11-10 05:04:51 +00:00
veriexec Run veriexec before securelevel and sysctl scripts. Suggested by Nino Dehne. 2005-06-15 18:49:40 +00:00
virecover Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
wdogctl Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
wscons Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
wsmoused Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
xdm Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
xfs Add an _rc_subr_loaded variable, set to ":" by rc.subr. Scripts can use this 2004-08-13 18:08:03 +00:00
ypbind Use new style command substitution. 2004-10-11 15:00:51 +00:00
yppasswdd Use 'load_rc_config_var CMD VAR' to set VAR for "foreign" rc.conf(5) 2004-10-12 14:51:03 +00:00
ypserv ypserv(8) doesn't need the domainname(1) set -- it will serve any maps 2005-04-01 23:25:29 +00:00