[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: firewall


> > It should be sufficient to do
> >         update-rc.d -f portmap remove
> >         update-rc.d -f lpd remove
> >         update-rc.d -f bind remove
> As an aside, I did this with proftpd, but when I upgrade the install
> scripts restart it.  Is there a proper way way to deal with this?  Is
> there some debian policy relating to it?

I usually divert the package's binary to something else.  That way the init
script sees that the executable does not exist and therefore doesn't start
it.  For portmap use something like:

dpkg-divert --rename --divert /sbin/portmap.diverted /sbin/portmap

Even if the init scripts get put back in place by un upgrade, they are
looking for /sbin/portmap and not /sbin/portmap.diverted.  :-)  Man
dpkg-divert for more info.

There are several variations one could use on this theme.  For an extreme
example, you could create an encrypted filesystem (using the Internation
Kernel Patch) at, say, /var/lib/local-diversions.  The fs would not be
mounted under normal circumstances.  You would divert files onto that
filesystem (make sure it is mounted at the time of diversion and upgrades,
though).  That way the binaries are only available when needed by an admin. 
Symlinks could be created for the original names so that init scripts would
only work when the encrypted fs is mounted.

Now only if there was as nifty a debian tool to make the package system
think that a particular package was installed, without actually having it

-Garrick James

Reply to: