Re: Firewall Startup Configuration files

["Peter Robb" <deb@newproject.pl>]

----- Original Message ----- 
From: "Jean Christophe ANDRÉ" <jean-christophe.andre@auf.org>
To: <debian-firewall@lists.debian.org>
Sent: Tuesday, November 04, 2003 3:14 PM
Subject: Re: Firewall Startup Configuration files


> Hi,
>
> Au 2003-11-04 15:01 (local), Peter Robb écrivait :
> > There isn't anything going into the network behind the firewall coz there
> > aren't any DNAT rules loaded to direct them there..
> > Only place they can go is down the INPUT chain...
> > And the same for outgoing connections, there isn't any masquerade to give
> > them an internet number for replies..
> >
> > So it kind of makes sense to leave it in the /etc/sysctl.conf file, but
> > delay loading the DNAT and SNAT rules until the end of the
> > rule lists to make sure the filtering is active before anything can connect.
>
> You seems to forget people having enough IP addresses to put routable
> ones on all their computers... And even without talking of them (which are
> lucky to not have protocoled locked by lack of NAT support), most people
> would have a servers with routable IP addresses on their DMZ, isn't it?

Agreed, but what's the timing for loading the rules and bringing up the interfaces...
I refer rules first and interfaces next. Then the routing is also after the rules...

I think the whole question is whether to put some kind of filtering in place before the firewall goes live.
Even bringing up local interfaces after the external is live and working...
Would that make more sense?

Regards,
Peter.