[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /etc/init.d/iptables

>>>>> Pascal Hambourg <pascal.mail@plouf.fr.eu.org> writes:
>>>>> Ivan Shmakov a écrit :
>>>>> Jonathan Yu <jonathan.i.yu@gmail.com> writes:

 >>> I apparently used /etc/network/if-pre-up.d (I can't remember the
 >>> reasoning why, but I guess it's useful to make sure you load the
 >>> rules prior to bringing the interfaces up, which means the rules
 >>> will be there once network connectivity is brought up)

 >> Yes.  However, doesn't if-pre-up.d/ get activated every time an
 >> interface is brought up?

 > Indeed.  My opinion is that only interface-specific action such as
 > creating interface-specific firewall rules should be performed in
 > /etc/network/if-*.d/ scripts,

	Huh?  Why one might need to put interface-specific scripts into
	non-interface-specific if-*.d/ directories?  Did you mean
	/etc/network/interfaces {pre,post}-{up,down} options here?

 > as well as in /etc/ppp/ip*.d/ scripts.

	... Also, is there any good reason to change the firewall
	configuration as the interfaces are brought up and down at all?
	The iptables(8) configuration seems to be the best when it's
	static.

 > Non interface-specific commands should be performed by an init script
 > before the network script runs.

	That's what I did with my version of the init.d/ script.

-- 
FSF associate member #7257
Reply to: