Re: iptables service with debian
On Sun, Apr 29, 2012 at 8:44 AM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
> Tom H a écrit :
>> On Sat, Apr 28, 2012 at 4:30 AM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
>>> Iptables should be initialized from an initscript run before networking.
>>
>> I agree but until someone else pointed out that there was
>> iptables-persistent for that, there was no packaged way of doing so.
>
> Actually, the iptables package itself used to contain such facility. But
> it was removed in later versions.
I know. I've never understood why that facility was removes and am
glad that someone's seen fit to package iptables-persistent to
re-enable that facility.
>> Until iptables-persistent was released in July 2009, there wasn't a
>> packaged way of doing so and using "/etc/network/if-pre-up.d/" was the
>> recommended way, as documented in the Debian wiki.
>
> I am not going to argue endlessly about this, but IMO being mentionned
> in the Debian wiki does not make it "the recommended way".
Googling through Debian lists, I see that you've disliked
"/etc/network/if-pre-up.d/" since its inception; and rightly so.
But disliking the use of "/etc/network/if-pre-up.d/" for iptables
doesn't mean that Debian isn't committed to it and that it isn't that
way that we're expected to run iptables; although the existence of
iptables-persistent has given us an option other than creating our own
init script or using something more or less non-standard like the
apf-firewall or arno-iptables-firewall packages (or any other iptables
frontend; these are the two that I know of).
Reply to: