[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Should named be started before pf during boot?

To: Mike Burns <netgeek@speakeasy.net>,"Misc @OpenBSD" <misc@openbsd.org>
Subject: Re: Should named be started before pf during boot?
From: Nick Holland <nick@holland-consulting.net>
Date: Wed, 01 Oct 2003 11:52:50 -0400
References: <20030930191112.GA28692@lube.frigames.org>

Mike Burns wrote:
> 
> There are other solutions to the problem I am about to present; I am
> wondering if my solution has negative side-effect.
> 
> On boot up, pf is started before named is started. Thus, any
> computers mentioned in the /etc/pf.conf must be in /etc/hosts for them to be
> found, or named must be started first. It's more work then I need to
> maintain /etc/hosts in addition to the named configuration, so I modified
> the /etc/rc* to start named before pf.
> 
> If this is a good solution, should this be done for all systems? If it's a
> bad solution, why?

FIRST, if you REALLY want to do this, I think a *far* better solution
would be to load/reload your production PF rules again AFTER the
system has fired up whatever you want to have running before PF rules
are loaded.  Something like:

    load pf.conf       (basic protection)
    run named
    load pf.runconf    (your actual rules, maybe in rc.local)

This way, your system always has the protection of pf.conf.

Note that there is nothing automatic about having your primary ruleset
in /etc/pf.conf other than that is what is loaded by default.  It is
just a text file you can load other files at some other point.  I have
a system or two set up with a "minimum protective ruleset" (actually,
"maximal" might be a better word -- if someone power-cycles the box,
it ends up with almost everything off) that loads at boot, but in
normal operation, some other ruleset is loaded by a user depending on
the needs at the moment.

Second, I don't know that you really want to do this.

IN GENERAL... Putting names in your pf.conf file can be misleading. 
They are evaluated only at rule load time, not dynamically.  Addresses
can change.  Also, I don't recall what happens if a site you are
trying to resolves to multiple addresses -- nothing overly productive,
I suspect, and to be honest, I really don't care -- if a site resolves
to two addresses today, odds are, next week, it might resovle to five.

So, if you see that you are blocking holland-consulting.net when
inspecting your rules, you might just think "I'm blocking
holland-consulting.net", whereas you see:

    # holland-consulting.net as of 8/1/2002
    block in quick from any to 6.7.8.9
    block in quick from any to 6.7.8.10

it will be a more vivid reminder that things change, and before losing
too much hair over why things aren't working, re-check the obvious.

Regardless, what you are wanting to do is most likely NOT a sane
suggestion for a structural change in OpenBSD ("for all systems"). 
"Filters on first" is the sane rule.  One of the features of an open
system is you can do whatever you want.  Be aware, however, the people
who set the defaults know what they are doing.  We provide the
bullets, you provide the feet.

Nick.
-- 
http://www.holland-consulting.net

Prev by Date: Re: Apparent pf misbehavior
Next by Date: Broadcom 440x Ethernet Drivers
Prev by thread: Re: Should named be started before pf during boot?
Next by thread: Re: Antivirus Scanning Gateway
Index(es):
- Date
- Thread