Re: lost configuration after reboot

To: Jan Minar <Jan.Minar@seznam.cz>
Subject: Re: lost configuration after reboot
From: "Laurence J. Lane" <ljlane@debian.org>
Date: Fri, 16 Jan 2004 20:47:20 -0500
Message-id: <[🔎] 20040117014720.GA3007@absolom.libra.net>
In-reply-to: <[🔎] 20040115003246.GC27251@kontryhel>
References: <[🔎] 20040115003246.GC27251@kontryhel>

On Thu, Jan 15, 2004 at 01:32:47AM +0100, Jan Minar wrote:

> (1) Setup your iptables configuration.
> (2) Do ``iptables-save > /etc/iptables.conf''.
> (3) Add ``iptables-restore < /etc/iptable.conf'' to /etc/init.d/network.

Instead of altering /etc/init.d/networking, I suggest looking
at interfaces(5), particularly: up, pre-up, down and post-down.

> Do NOT use /etc/init.d/iptables until it's audited -- there is/was
> a potential security breach (see Bug#225805), and other issues are
> probably to be discovered.

iptables-save is broken in various ways. It can produce output that 
iptables-restore can not parse.                                     

iptables-restore is broken in one spectacular way, having no ability
to recover from errors. That can range from broken input (see above)
to simply failing because of missing netfilter features, in the
kernel or modular. (In other words, trying to load some match or
target that it has no kernel support for.) And the error messages
iptables-restore produces are not terribly useful.

Of course, beyond the typo that caused the bug reported in
Bug#225805, the init script in woody also suffers being entirely
dependent on iptables-save and iptables-restore.

Bug#225805 is corrected in proposed-updates, though not as a
security issue. I still recommend not using that init script.

Reply to:

References:
- Re: lost configuration after reboot
  - From: Jan Minar <Jan.Minar@seznam.cz>

Prev by Date: Re: Sony PCI Memory Stick Reader
Next by Date: Re: Apache Problems
Previous by thread: Re: lost configuration after reboot
Next by thread: Re: lost configuration after reboot
Index(es):
- Date
- Thread