[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: init.d script for iptables ruleset

On Wed, Sep 21, 2005 at 04:34:49AM -0700, Steve Langasek wrote:
> I don't remember any such rationale ever being given; IIRC, ljlane changed
> it in response to pressure from users, who may have objected for any number
> of reasons.  The presence of an optional startup script for iptables doesn't

That's not what happened IMHO. ljlane removed them because he didn't want to
have any built-in firewall functionality in iptables. He wanted the package
to provide just the software itself. You might want to consider checking 
out the maintainer response to #212692.

> preclude having per-interface rules, anyway; and one may have a need for
> both per-interface rules *and* static rules that should always be loaded...

IIRC the startup scripts were removed because the maintainer believed them to
be a kludge and actively encouraged users to use firewall packages 
instead of the built-in functionality initially added in the iptables package. 
Notice that iptables' current README.Debian file has changed since I filed
bug #307934. Now the maintainer does not mention firewall packages at all

> Anyway, this is still in the pre-proposal stage and needs plenty more work,
> but since the topic has come up: <http://wiki.debian.org/FirewallByDefault>.
> Feel free to add comments. :)

How about pointing to the "Adding firewall capabilities" section of
the Securing Manual? Available at

Also fixing #324593 might be relevant here as some network security features
are configered at the kernel level. I tried to describe this in the 
"Securing network access" section of the Securing Manual:



Attachment: signature.asc
Description: Digital signature

Reply to: