Hi,
On Mon, 2007-08-20 at 08:59 +0200, Mikael Frykholm wrote:
> Andrew Ruthven skrev:
> >
> > I'm not sure of a Debian recommended way, but a post-up line or a file
> > in /etc/network/if-up.d which only runs for the interface you want would
> > work okay.
>
> Hi,
> Shouldn't that be pre-up instead?
> Otherwise a reboot of the firewall would leave it vulnerable for some
> split seconds.
I've just tried this and confirmed my suspicion. This will fail if you
refer to the interface in your firewall. Since the interface isn't up
yet (pre-up) iptables can't find the device to apply the against. So,
not so good if that is how you manage your firewall (which I do to make
sure that only the traffic that is supposed traverse an interface does
so).
Perhaps in the pre-up you could reject all IPv6 traffic and then in the
post-up apply your rules (and leave the default as reject).
I'd be quite interested if there is a better way to make this work.
Cheers!
--
Andrew Ruthven
Wellington, New Zealand
At home: andrew@etc.gen.nz | This space intentionally
| left blank.
Attachment:
signature.asc
Description: This is a digitally signed message part