Re: automatic Firewall start/stop
On Sun, 2002-08-04 at 18:44, Colin Watson wrote:
> On Fri, Aug 02, 2002 at 04:49:40PM -0500, Mark Roach wrote:
> > Hi, Peter. I would have suggested that except for the fact that the
> > iptables maintainer seems very opposed to that script. From
> > /etc/default/iptables:
> >
> > # Q: You concocted this init.d setup, but you do not like it?
> > # A: I was pretty much hounded into providing it. I do not like it.
> > # Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
> > # scripts use /etc/ppp/ip-*.d/ script. Create your own custom
> > # init.d script -- no need to even name it iptables. Use ferm,
> > # ipmasq, ipmenu, guarddog, firestarter, or one of the many other
> > # firewall configuration tools available. Do not use the init.d
> > # script.
> > #
> > # Q: What is this iptables init.d setup all about?
> > # A: The iptables init.d setup saves and restores whole iptables's
> > # table rulesets. That's basically it. It doesn't create any
> > # iptables rules nor provide for running any iptables rules.
> > # That also implies no support at all for dynamic rules.
> >
> > Anybody know why he dislikes this setup so strongly?
>
> IME, it's much better to associate filtering rules with the time when an
> interface is brought up than with system startup. Several of the
> interfaces on my system don't (and shouldn't) even exist when init
> scripts are run.
>
> You can add commands to /etc/network/interfaces that are run when an
> interface is brought up or down.
>
I think that this is a valid point, however, iptables does offer the
flexibility of assigning rules to an interface even if it doesn't exist
yet. If you were to put all the rules in one file, like with this
script, then it could be easier to administer. But it could definitely
be argued either way.
Jamie Strandboge
Reply to: