Re: Where to install the firewall scripts

To: renato@sabolboro.org
Cc: debian-security@lists.debian.org
Subject: Re: Where to install the firewall scripts
From: Giacomo Mulas <gmulas@ca.astro.it>
Date: Mon, 16 Dec 2002 10:34:54 +0100 (CET)
Message-id: <Pine.LNX.4.44L.0212161021340.11219-100000@capitanata.ca.astro.it>
Reply-to: Giacomo Mulas <gmulas@ca.astro.it>
In-reply-to: <20021214215303.64713.qmail@web10105.mail.yahoo.com>

On Sat, 14 Dec 2002, bong sabolboro wrote:

> I am currently implementing a firewall using a
> notebook and Debian Woody.  What is the best place to
> put the firewall rules that I want implemented for my
> local setup?

There are a few possible alternatives. The main point is that you want
your firewalling rules to be in place before your interfaces come up. This
constraint means that you can either:

1) create an init script and an S* link to it in /etc/rcS.d, with a number
smaller than the ones that initialise your networking. Simple, effective,
possibly not the most flexible solution, but it works (that's what I did
on my laptop), a couple of years ago.

2) create init scripts and place then in /etc/network/if-pre-up.d and
friends: in this way you can have a more finely grained control and still
have all the security. This is also a solution closer to the "debian" way
of doing things. It requires a little bit more work, but this is probably
what I would do now if I were to redo my firewalling setup from scratch on
my laptop. Check the documentation for the ifupdown package to see how to
get this right.

Since you are using a laptop, there are also more possibilities, which
depend on what you will be using to handle networking: you may want to
call scripts from pcmcia-cs initialisation scripts, if you are using a
pcmcia network adapter, or you may want to use laptop-net, which uses its
own set of scripts to set up networking in different environments... and
much more. However, these latter solutions will depend on a specific
hardware setup and on specific software packages. As I said before, I
would go for 2) above, but it's your choice really, and that's what
open-source is all about: there is more than one "right" way to do things
and you get to choose what you prefer.

Hope this helps, bye
Giacomo

-- 
_________________________________________________________________

Giacomo Mulas <gmulas@ca.astro.it>
_________________________________________________________________

OSSERVATORIO ASTRONOMICO DI CAGLIARI
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel. (OAC): +39 070 71180 248     Fax : +39 070 71180 222
Tel. (UNICA): +39 070 675 4916
_________________________________________________________________

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)
_________________________________________________________________

Reply to:

References:
- Where to install the firewall scripts
  - From: bong sabolboro <tagamichi@yahoo.com>

Prev by Date: Re: Where to install the firewall scripts
Next by Date: Re: firewall advice
Previous by thread: Re: Where to install the firewall scripts
Next by thread: smtp-auth
Index(es):
- Date
- Thread