[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: script init

"Jeff Bonner" <jeff@integralogic.com> writes:

> > -----Original Message-----
> > From: sim ton [mailto:firewall38@lycos.com] 
> > Sent: Wednesday, June 05, 2002 5:20 AM
> > To: debian
> > Subject: script init
> >
> > so my firewall is almost good :)
> > but i want to init it at any reboot ...
> > i've heard of iptables-save and i used it but i don't really 
> > know how it works because it didn't work
> > so i just need a easy solution which is running my script 
> > firewall.sh at any reboot

If you really want to use an iptables-(save|restore) kind of approach,
iptables can handle that for you.  Read /etc/default/iptables!

> Assuming you have your firewall.sh script in /etc/init.d, you can do
> this:
> # chmod 755 /etc/init.d/firewall.sh
> # cd /etc/rc2.d   [or whatever is default runlevel]
> # ln -s /etc/init.d/firewall.sh S90firewall
> This creates a symbolic link to the actual firewall script:  in the
> /etc/rc#.d directories, the higher the S##, the later it loads at boot
> time.  So S10<script> will run before S11<script>, and S99<script> would
> be the very last.  It's up to you when you want it to run (before or
> after the other programs); some people say the firewall should be the
> very *first* thing.

At the very least it should be up by the time you configure your
network devices, i.e. any init.d style scripts should be run _before_
/etc/init.d/networking no matter what.  When taking things down, your
firewall should go only after all networking has been taken down.  If
you don't do that, there's a small window that could be exploited.

The current iptables package in woody *asks* you whether you want
init.d style scripts enabled.  If you say yes, it now creates the
symlinks in the correct places.  To reconfigure:

  # dpkg-reconfigure iptables

It creates links with:

  update-rc.d iptables start 40 S . stop 89 0 6 .

in case you're wondering.  For the reasoning behind this, see
http://bugs.debian.org/135599 and http://bugs.debian.org/140428.

> For now, don't add it to runlevel 0, 1 or 6, which equate to "halt"
> (power-down), "single-user" (barely anything running) and "reboot".  0
> and 6 need a different symlink, i.e. K90firewall (S for start, K for
> kill).  And it would be pointless, because your script probably doesn't
> parse start|restart|stop, etc; in fact, the effect would be
> counterproductive, turning it ON instead of off.

If you care enough about your firewall to write a script to set it up,
it is not much trouble to add some scripting to take it down again.
Why not add that little bit so it handles at least "stop".  The
"restart" can then default to a "stop"/"start" cycle and you're done.

> Alright, that's one way to run your firewall.  Another is with
> "update-rc.d" (which is specific to Debian, and similar to RedHat's
> "chkconfig").  If you want more information on it, try "man
> update-rc.d".  :)

The iptables maintainer discourages the use of the init.d approach and
suggests you set things up via scripts in the /etc/network/if-*.d/
directories.  For a simple set of scripts, see the attachment of

Olaf Meeuwissen                            Epson Kowa Corporation, CID
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2               -- I hack, therefore I am --                 BOFH

To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: