Am Dienstag, den 03.10.2006, 12:15 -0500 schrieb Bill Marquette:
> I wonder if the package system is called far enough into the boot
> process to shim this in after start_ftp_helpers is called. You might
> be able to create a start script that calls /etc/rc.filter_configure.
> Looks like this is what you want in /etc/rc.bootup
> mwexec("sh /usr/local/etc/rc.d/{$filename} start >>/tmp/bootup_messages
> 2>&1");
> it's well past the ftp_helpers.
No problem for me to adapt some bootup scripts. I've got more than 13
years experience in several *NIX systems. I simply don't want to. I'm
choosing a system like pfsense because it's easy to set up, backed up
and so on. Everything I'm adding manually breaks that. If I find sth.
that not ok, I'll take a look on it and I'm trying to solve it, giving
some of my results back to the community.
> There's plenty of discussions on this, I don't have any links handy,
> sorry. But it goes along the lines of layer7 protocol analysis in
> kernel is a bad idea - protocol bugs directly result in ring0
> compromise (bad!). Using divert() style sockets is moderately better,
> but results in dropping the analysis and throughput to userland which
> can be slow. ftpsesame is a better compromise in that all it really
> needs to do is run a bpf listener and add/remove rules as needed.
> Some protocols (pptp, ipsec), etc, can only be NAT'd in kernel due to
> the way the protocols work, but in those cases, it's not a rule issue,
> it's a NAT issue that can't be solved outside of the kernel. IPFilter
> has various "proxy" modules to handle some of this. At the end of the
> day, the linux folks are more open to polluting their kernel with junk
> than the OpenBSD folks.
OK, that makes sense to me. The old problem userland vs. kernel space
coding. I've brought down the linux kernel several times when I wrote
some vlan code for my diploma thesis some years ago (was linux
1.5.x ;-)). I do know what one wrong pointer in kernel code does mean,
believe me.
BR and thanks for explaining,
PIT
---------------------------------------------------------------------------
copyleft(c) by | _-_ Win95 is not a virus; a virus does something.
Peter Allgeyer | 0(o_o)0 -- unknown source
---------------oOO--(_)--OOo-----------------------------------------------
