From root@mbennett1.sj.scruznet.com  Fri Mar 28 22:28:55 1997
Received: from agora.rdrop.com (root@agora.rdrop.com [199.2.210.241])
          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id WAA12511
          for <FreeBSD-gnats-submit@freebsd.org>; Fri, 28 Mar 1997 22:27:34 -0800 (PST)
Received: from mbennett1.sj.scruznet.com by agora.rdrop.com with smtp
	(Smail3.1.29.1 #17) id m0wArbk-0008rxC; Fri, 28 Mar 97 22:27 PST
Received: (from root@localhost)
          by mbennett1.sj.scruznet.com (8.8.4/8.8.4)
	  id WAA00320; Fri, 28 Mar 1997 22:23:48 -0800 (PST)
Message-Id: <199703290623.WAA00320@mbennett1.sj.scruznet.com>
Date: Fri, 28 Mar 1997 22:23:48 -0800 (PST)
From: nsayer@quack.kfu.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: rc.firewall should be run after interfaces are up
X-Send-Pr-Version: 3.2

>Number:         3136
>Category:       misc
>Synopsis:       rc.firewall should be run after interfaces are up
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 28 22:30:00 PST 1997
>Closed-Date:    Sun Mar 22 18:04:11 PST 1998
>Last-Modified:  Sun Mar 22 18:04:54 PST 1998
>Originator:     Nick Sayer
>Release:        FreeBSD 2.2-BETA_A i386
>Organization:
just me
>Environment:

This machine is a router being used with 'natd'.
The natd command line specifies that the address for the portmapping
should be obtained from tun0.

>Description:

With the default ordering of netstart, the firewall is created
before the interfaces are up. This is backwards, since
tun0 will not have a (useful) address before it is initialized.
Nor will anything else, for that matter.

Doing the firewall stuff after does not open up any security holes
since the default policy is to not pass any traffic.

>How-To-Repeat:

>Fix:
	
*** /etc/netstart-	Mon Dec 23 19:33:04 1996
--- /etc/netstart	Fri Mar 28 22:11:51 1997
***************
*** 23,33 ****
  	domainname $defaultdomainname
  fi
  
- # If IP filtering
- if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then
- 	sh /etc/rc.firewall
- fi
- 
  #
  # XXX This is known to cause an error if /usr is nfs mounted since it
  # will not be available until after the network is up :-(.  Once the
--- 23,28 ----
***************
*** 67,72 ****
--- 62,72 ----
  	fi
  	ifconfig ${ifn}
  done
+ 
+ # If IP filtering
+ if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then
+ 	sh /etc/rc.firewall
+ fi
  
  if [ -n "$defaultrouter" -a "x$defaultrouter" != "xNO" ] ; then
  	static_routes="default ${static_routes}"

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: jkh 
State-Changed-When: Fri Apr 25 04:24:20 MET DST 1997 
State-Changed-Why:  
Would you be willing to review a more comprehensive reorganization of all 
this which just happens to fix your PR as a side-effect? ;-) 
State-Changed-From-To: analyzed->closed 
State-Changed-By: steve 
State-Changed-When: Sun Mar 22 18:04:11 PST 1998 
State-Changed-Why:  
Closed at originator's request. 
>Unformatted:

