Re: [iptables] init script

To: Rainer Ellinger <rainer@ellinger.de>
Cc: debian-firewall@lists.debian.org
Subject: Re: [iptables] init script
From: Olaf Meeuwissen <olaf@epkowa.co.jp>
Date: 30 May 2002 13:29:42 +0900
Message-id: <[🔎] 877klmxnpl.fsf@frodo.epkowa.co.jp>
In-reply-to: <[🔎] 200205281035.07916@ellinger.de>
References: <[🔎] 005701c20596$7f8ee660$0507e0c2@ene.es> <[🔎] 200205271853.01146@ellinger.de> <[🔎] 87off1kx89.fsf@frodo.epkowa.co.jp> <[🔎] 200205281035.07916@ellinger.de>

Rainer Ellinger <rainer@ellinger.de> writes:

> Olaf Meeuwissen wrote:
> > Better yet, forget the whole /etc/default/iptables stuff and set your
> > firewalling up through appropriate scripts in the
> > /etc/network/if-*.d/ directories.  For an idea on how you could go
> 
> Is there any better reason than "forget about it" for your approach?

Unless the latest iptables has fixed it, there is a small window of
vulnerability with the init.d approach.  Looks like it did.
See http://bugs.debian.org/135599 and http://bugs.debian.org/140428

> How do you update single rules in running configs?

Very carefully :-)
Seriously though, from the command line with "iptables ..." just like
you do.  If the changes are supposed to survive reboots and run level
changes, I just put them in a shell script in the /etc/network/if-*.d
they belong in.

> With /etc/init.d/iptables, you make your changes with "iptables ..." 
> and save the whole ruleset with "/etc/init.d/iptables save active". If 
> your're afraid of loosing remote connection while experimenting with 
> rulesets, you may save your working config to a new name and schedule 
> (with cron/at) a "/etc/init.d/iptables load SavedBackupNameblabla"  
> before your start changing anything. 

As far as I can tell, you can still do that even if you have none of
the /etc/rc?.d/ symlinks.

> It's also easy to have several different iptables setups or versions 
> and backups. How do you achieve this with your solution?

You could check for the current run level or an environment variable
in the scripts and adapt to that if you need that kind of flexibility.
Probably not a very clean solution, but it should work.  The only
systems I see a need for that level of flexibility are laptops that
change environments frequently.  For these cases you have to redo the
network device set up anyway.  Okay, add DHCP clients to the list.
Now here's an interesting problem!
For versions and backups, put your scripts in CVS or some such.

> I can't see any benefits.

I see FW setup as an integral part of network device configuration,
not as some separate activity that has to be performed during boot
and run level changes.  Your view may be different.
Besides, it plugged existing iptables holes at the time I set it up.
# The maintainer has also expressed his dislike for the init.d script
# on several occasions (see /etc/defaults/iptables).
-- 
Olaf Meeuwissen                            Epson Kowa Corporation, CID
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2               -- I hack, therefore I am --                 BOFH

-- 
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- [iptables] init script
  - From: "Davi Leal" <david.leal@ene.es>
- Re: [iptables] init script
  - From: Rainer Ellinger <rainer@ellinger.de>
- Re: [iptables] init script
  - From: Olaf Meeuwissen <olaf@epkowa.co.jp>
- Re: [iptables] init script
  - From: Rainer Ellinger <rainer@ellinger.de>

Prev by Date: Re: NIS on gateway
Next by Date: Setting up a new FIREWALL with VPN
Previous by thread: Re: [iptables] init script
Next by thread: NIS on gateway
Index(es):
- Date
- Thread