> I believe it's harmless, and while not aesthetically pleasing, it's a necessary > work-around. The stop command to rc.d/ipfilter uses -D to disable ipfilter, so > it's necessary to use -E with the start command because there's no way to know > how/when/why/in-what-environment it's being called. If I'm wrong or you have a > better alternative to this please let me know. Yes, you understood the manpage right and no, I don't think there's a better way to detect that. This is something I've thought about and couldn't come up with a better solution, either. But there's another "issue" about /etc/rc.d/ipfilter that has a work-around: IPv6 support. The current script just fires ipf and then ipf -6, whether you have IPv6 support or not. I don't know the purpose of this, since grepping /etc/rc* and /etc/rc.d/* for it doesn't return anything, but there's this line in /etc/defaults/rc.conf: ipv6_enable="NO" # Set to YES to set up for IPv6. So, assuming there *is* a reason for that variable, I changed my /etc/rc.d/ipfilter a bit so it respects that (although only in ipfilter_start()): case ${OSTYPE} in FreeBSD) ${ipfilter_program:-/sbin/ipf} -Fa if [ -r "${ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} \ -f "${ipfilter_rules}" ${ipfilter_flags} fi case ${ipv6_enable} in [Yy][Ee][Ss]) ${ipfilter_program:-/sbin/ipf} -6 -Fa if [ -r "${ipv6_ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} -6 \ -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} fi ;; esac ;; Should that be the default, or am I missing anything here? Fred -- "They're only trying to make me LOOK paranoid!"
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:12 UTC