On 07/14/2008 12:52:16 AM, Ryan McBride wrote:
On Sun, Jul 13, 2008 at 02:44:40PM -0500, Karl O. Pinc wrote:
> On 07/12/2008 04:12:14 PM, Karl O. Pinc wrote:
>> The one unusual thing about my configuration is that
>> I don't bring up pf with rc.conf.local. Pf is
>> started in rc.local so that it starts after
>> the (secondary, local ,caching) nameserver so that I can
>> use the dns names of my domain in pf.conf.
>
> This is clearly going to cause a problem because
> I also don't allow forwarding until after pf is up,
> so as soon as the carp interfaces become master
> the clients will start receiving icmp unreachable messages
> in response to traffic.
The carp demotion twiddling in RC isn't disabled until after rc.local
is
run, so this shouldn't be a problem (but in general it's safe to turn
on
forwarding during boot, because the boot-time pf.conf won't pass
forwarded traffic.
FWIW in my case, because rc.conf.local has pf turned off, the
boot-time pf rules are not loaded. To prevent indiscriminate
forwarding I don't want forwarding turned on
until after my pf ruleset is loaded in rc.local. Because
the carp interfaces won't go into MASTER while rc.local is
running I don't need to worry about the time during which
the pf ruleset is loaded but forwarding is not yet on.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
