Re: Firewalling
On Tue, 13 Mar 2001, Alan Harper wrote:
> On Tue, Mar 13, 2001 at 11:01:58AM +0100, Victor Foitzik wrote:
> > At 08:15 13.03.2001, Craig wrote:
> >
> > >Have created a file which contains all my ipchains rules and I would like
> > >it to start when the machine loads. Not sure where the best place is for
> > >this. I used to use rc.local on RH but was told that this is a bush job and
> > >very sloppy as for debian, well used to use the network file on slink.
> >
> > Just another hint, make sure your script is started _before_ network
> > interfaces are brought up. Otherwise your firewall will be completely _open_
> > (for just a short period of time, but it will be). A useful place where to
> > put a link to your script is rcS.d, just before networking is launched.
> >
> My illegal way of doing this is running my firewell script in /etc/rcS.d
If you _really_ want to be pesky about it, you may want to put a line such
as
pre-up /etc/init.d/yourfirewallscript start
in the /etc/network/interfaces file, in the description of all the
affected network interfaces. Or you may put a soft link to
/etc/init.d/yourfirewallscript in the /etc/network/if-pre-up.d directory.
This may give you a lot of flexibility, you may initialise different
firewalling rules for different interfaces, before they are brought up
and/or down. But in most situations, where such finely grained
flexibility is not needed, a simple, perhaps inelegant but very
effective link in rcS.d will do the trick. I confess I did it this way in
my laptop actually... :)
Bye
Giacomo
_________________________________________________________________
Giacomo Mulas <gmulas@ca.astro.it, giacomo.mulas@tin.it>
_________________________________________________________________
OSSERVATORIO ASTRONOMICO
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)
Tel.: +39 070 71180 216 Fax : +39 070 71180 222
_________________________________________________________________
"When the storms are raging around you, stay right where you are"
(Freddy Mercury)
_________________________________________________________________
Reply to: