Re: Firewall Startup Configuration files
----- Original Message -----
From: "Magnus Sundberg" <Magnus.Sundberg@dican.se>
To: <debian-firewall@lists.debian.org>
Sent: Tuesday, November 04, 2003 1:57 PM
Subject: Re: Firewall Startup Configuration files
> Jose Alberto wrote:
> >
> > Check /etc/sysctl.conf
> >
> > You can set anything settable under /proc/sys with this file, it is
> > part of the sysctl program, and it's run at startup before any runlevel
> > by /etc/rcS.d/S30procps (at least in sarge, woody is probably the same).
> >
> >
> > Cheers
> >
>
> Thanks,
> I have looked around a little bit more now and I will put all my
> kernel alterations into /etc/sysctl.conf except for the
> `echo "1" > /proc/sys/net/ipv4/ip_forward´ since this would
> generate a race condition during boot up.
There isn't anything going into the network behind the firewall coz there aren't any DNAT rules loaded to direct them there..
Only place they can go is down the INPUT chain...
And the same for outgoing connections, there isn't any masquerade to give them an internet number for replies..
So it kind of makes sense to leave it in the /etc/sysctl.conf file, but delay loading the DNAT and SNAT rules until the end of the
rule lists to make sure the filtering is active before anything can connect.
>.....................................................You know the default
> stance of the iptables FORWARD table is ACCEPT.
>
> I will add this to the /etc/default/iptables
>
> iptables -P FORWARD -j DROP
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> This way will the system not forward packages to the hosts behind
> the firewall
>
> /Magnus
Regards,
Peter.
Reply to: