Re: automatic Firewall start/stop

[Colin Watson <cjwatson@debian.org>]

On Fri, Aug 02, 2002 at 04:49:40PM -0500, Mark Roach wrote:
> Hi, Peter. I would have suggested that except for the fact that the
> iptables maintainer seems very opposed to that script. From
> /etc/default/iptables:
> 
> # Q: You concocted this init.d setup, but you do not like it?
> # A: I was pretty much hounded into providing it. I do not like it.
> #    Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
> #    scripts use /etc/ppp/ip-*.d/ script. Create your own custom
> #    init.d script -- no need to even name it iptables.  Use ferm,
> #    ipmasq, ipmenu, guarddog, firestarter, or one of the many other
> #    firewall configuration tools available. Do not use the init.d
> #    script.
> #
> # Q: What is this iptables init.d setup all about?
> # A: The iptables init.d setup saves and restores whole iptables's
> #    table rulesets. That's basically it. It doesn't create any
> #    iptables rules nor provide for running any iptables rules.
> #    That also implies no support at all for dynamic rules.
> 
> Anybody know why he dislikes this setup so strongly?

IME, it's much better to associate filtering rules with the time when an
interface is brought up than with system startup. Several of the
interfaces on my system don't (and shouldn't) even exist when init
scripts are run.

You can add commands to /etc/network/interfaces that are run when an
interface is brought up or down.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]