On Mon 02/Dec/2019 10:35:26 +0100 Andrei POPESCU wrote:
>
> You might want to install iptables-persistent, otherwise you'll have to
> roll-out your own solution.
I'm not using iptables-persistent, but just looked at it out of curiosity.
Its LSB:
### BEGIN INIT INFO
# Provides: netfilter-persistent
# Required-Start: mountkernfs $remote_fs
# Required-Stop: $remote_fs
# Default-Start: S
# Default-Stop: 0 1 6
# Short-Description: Load boot-time netfilter configuration
# Description: Loads boot-time netfilter configuration
### END INIT INFO
S also starts in single-user mode, i.e. without network?
$remote_fs requires ip links to be already set up?
Stop, for good measure, does nothing. The comment in the script is crisply nice:
stop)
# Why? because if stop is used, the firewall gets flushed for a variable
# amount of time during package upgrades, leaving the machine vulnerable
# It's also not always desirable to flush during purge
echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
;;
> In the particular case of iptables instead of writing a script you
> should probably just reuse your existing rules file and load that with
> an 'iptables-restore' from the .service unit.
That's somewhat questionable in some cases. I'd recommend to write a script
with iptables commands rather than interactively issue iptables command until
you are satisfied with the current setup. That's natural, since iptables
doesn't give a visual feedback, so reasoning is your best friend. IOW, a
commented script is more readable than an interactive setup.
Then, since you have a script, why not run it directly, rather than
saving/restoring its results?
> We are quite far from the original topic so I would suggest you start a
> new thread in case you need assistance with this.
I try, but don't reset References:/In-Reply-To: header fields.
Best
Ale
Attachment:
signature.asc
Description: OpenPGP digital signature