Hi, On Mon, 2007-08-20 at 08:59 +0200, Mikael Frykholm wrote: > Andrew Ruthven skrev: > > > > I'm not sure of a Debian recommended way, but a post-up line or a file > > in /etc/network/if-up.d which only runs for the interface you want would > > work okay. > > Hi, > Shouldn't that be pre-up instead? > Otherwise a reboot of the firewall would leave it vulnerable for some > split seconds. I've just tried this and confirmed my suspicion. This will fail if you refer to the interface in your firewall. Since the interface isn't up yet (pre-up) iptables can't find the device to apply the against. So, not so good if that is how you manage your firewall (which I do to make sure that only the traffic that is supposed traverse an interface does so). Perhaps in the pre-up you could reject all IPv6 traffic and then in the post-up apply your rules (and leave the default as reject). I'd be quite interested if there is a better way to make this work. Cheers! -- Andrew Ruthven Wellington, New Zealand At home: andrew@etc.gen.nz | This space intentionally | left blank.
Attachment:
signature.asc
Description: This is a digitally signed message part