Re: networking
On Fri, Jan 14, 2011 at 4:31 PM, Bob Proulx <bob@proulx.com> wrote:
> Paul Cartwright wrote:
>> Bob Proulx wrote:
>>
>> #iptables loaded here:
>> pre-up iptables-restore < /etc/firewall-rules
>
> That looks like something local to your system. It seems like an odd
> place to put that. It looks like someone was trying to reload the
> firewall rules at startup time but didn't know about the directory of
> scripts /etc/network/if-up.d/* and so associated the timing with the
> loopback device coming online instead. Eww...
>>
>> did I put that iptables entry in? I don't remember.. should it be there?
>
> I think you did put that in there. It has that look. As to whether
> it /should/ be there... well *I* wouldn't put it there. :-) I think
> that type of reloading belongs elsewhere such as in an if-up.d/*
> script. But I don't know about your firewall setup. I could guess
> something like this in /etc/network/if-up.d/local-firewall using your
> current config as a template.
>
> #!/bin/sh
> case $IFACE in
> eth*)
> iptables-restore < /etc/firewall-rules
> ;;
> esac
> exit 0
>
> That will run your command whenever any eth* device is brought up.
See http://wiki.debian.org/iptables because it suggests the
"/etc/firewall-rules" location.
I usually put the equivalent of "/etc/firewall-rules" (so without
using "iptables-restore") in "/etc/network/if-pre-up.d" because I want
the firewall up before the network's brought up. Using "pre-up" in
"/etc/network/interfaces" is basically the same thing, AFAIK.
Reply to: