On 25 Aug 2003, Bret Comstock Waldow wrote: > His system comes in two/three parts. There's an iptables_pre script > which fits simply into the Debian init system - put it in /etc/init.d > and use update-rc.d defaults to plug in the symlinks so it runs before > the network is up. It locks everything closed and optionally has > support for alternatives to dhclient if that's not what I use. > > The second/third parts run after the network is up. He writes: > > "Now that the iptables_pre script will protect the system while the > network interfaces are being brought up, it is time to arrange for the > main script, rc.fwsoho ... to be invoked on bootup. While we could > invoke it the same way we invoked iptables_pre, instead we will use a > real rc.d-style script to invoke it. This rc.d-style script is based on > Red Hat 7.3 iptables startup script but has been modified to generate a > message and error exit if IP Tables is not available."
I am not trying to be smarter than Bob (I read his book too), but... Why would one burden the system with stuff that's only needed when a network interface is up? Why not just use the pre-up and post-down directives for the chosen interface? To me that seems to be a more natural place to put this stuff. I am not sure if it will be useful for what you're trying to accomplish, but I have described what I think is a good way to initialize the firewall at http://huizen.dto.tudelft.nl/devries/security/iptables_example.html Of course There's More Than One Way To Do It, so if it is not applicable to your situation just ignore my blathering }:-) > He instructs me to copy rc.fwsoho into /etc/rc.d, i I am afraid there is no /etc/rc.d in Debian GNU/Linux. > then put iptables > (script) into init.d and symlink it in (the update-rc.d step in > Debian). iptables is hard coded to call /etc/rc.d/rc.fwsoho on the > appropriate "start". ??? Does that mean your version of iptables has been compiled with such an instruction? Otherwise it is just a shell script with a series of instructions, this should include the usual "start|stop|restart" commands and the policy/ruleset to aply. > Ok. There is no /etc/rc.d in my Debian system. /etc/rcX.d has some > meaning beyond just being another place to gather files - it corresponds > to runlevel X, and gets swept automatically as the system passes through > that runlevel. What is the meaning and equivalent of /etc/rc.d? The > other directories referenced appear to exist. You should use /etc/init.d to place this type of thing in. After that you can make a symlink in the appropriate run-level directory /etc/rcx.d from where it will be called. Take a look in those directories and you'll see that's how all the other scripts in there are initialized. One thing though: under Debian GNU/Linux the differences between the run-levels are as not strictly defined as in RedHat. > To those who want to tell me why I shouldn't use his approach, I welcome > the comments, I'll learn from them. But please also tell me the answers > to the questions above, so I can get a context to put it all in. I hope that's what I did `;-) Grx HdV -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
