|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: initial pf-rules -> sysctl -> networking
From: Peter H. Coffin (hellsop
ninehells.com)
Date: Sun Nov 02 2003 - 15:29:13 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, Nov 02, 2003 at 08:42:21PM +0100, Han Boetes wrote:
> In /etc/rc first the initial pf-rules are loaded and then the sysctls
> are loaded and then networking is started.
> It seems to be more logical to first load the sysctl, then load the
> initial pf-rules and then networking is started.
>
> So what's the practical reason for this order?
Sysctl controls kernel routing, right? Perhaps networking is already on for
some reason, and sysctl gets turned on, leaving a window of un-pf'ed
routing happening until the pf ruleset is loaded. That might be a
potential exposure.
What would be your gain were sysctl to happen prior to pf-rules being
loaded?
--
Pieces of seven! Pieces of seven! (Hrm, parroty error)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]