[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: short iptables script to use with Debian

> On Wednesday 17 December 2003 10:22, R.M. Evers wrote:
> > hi alexander,
> >
> > what i always do whenever i install a new server, is pay a vist to
> > http://morizot.net/firewall/gen/. there, i generate a firewall script,
> > which i modify for my personal needs aftwerwards. the script has some
> > standard protection against common attacks. when satisfied, i run the
> > script, then do a "/etc/init.d/iptables save active", et voila ;-)

On Wed, Dec 17, 2003 at 10:34:39AM +0000, Jon Hill wrote:
> /etc/default/iptbales reads
> # Now for a short question and answer session:
> #
> # Q: You concocted this init.d setup, but you do not like it?
> # A: I was pretty much hounded into providing it. I do not like it.
> #    Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
> #    scripts use /etc/ppp/ip-*.d/ script. Create your own custom
> #    init.d script -- no need to even name it iptables.  Use ferm,
> #    ipmasq, ipmenu, guarddog, firestarter, or one of the many other
> #    firewall configuration tools available. Do not use the init.d
> #    script.
> I'm not offering an opinion myself (not enough experience) just found it when 
> I was trying to setup iptables on Debian.

It's an interesting question, whether or not to use a script in init.d.
I use a script /etc/init.d/firewall, which I start from wherever it
needs to be started from.

AFAICT it's ok if it's in /etc/init.d, so long as you don't
just go starting it at boot via /etc/rc2.d/ or similar with a link,
unless that is really what you want to do, in which case it's great.

Sometimes starting at boot won't work for ppp (for example) anyway,
because some scripts look for the devices first, and if ppp0 isn't up
the script fails to start and you don't get a firewall.

so it may be better to start it from wherever the outside network 
is brought up, such as /etc/network/interfaces (see interfaces (5))
or ip-*.d/ (see run-parts (8)), as in nice FAQ question above.

I think he just means "Do not use this init.d script".

Patrick Lesslie

Reply to: