Chmouel Boudjnah wrote:
>
> i don't catch the point, rc.firewall is generally here to set
> ipchains rules or enable/disable /proc/sysctl features, what's wrong
> with this ?
The point is that the ipchains can NOT be set up until the assigned
IP, network IP, and the assigned name servers are known, since the
rules need to use these.
In the case of kppp the firewall and /proc features setup therefore
cannot be called until kppp completes with a valid link.
In the case of ethernet connections using dhcp, the firewall and
/proc features setup cannot be called until dhcp has completed - in
fact should be called immediately by dhcp itself to minimise the
unprotected exposure time.
In the case of ethernet connections with a static IP, the firewall
and /proc features setup should for the same reason be called
directly from the appropriate eth<n>-up. The existing rc.firewall
would be too late.
So the provision of rc.firewall in its present form is ill-conceived
and not in conformance with real-world requirements (like far too
much about the new Mandrake installer - I could go on ...).
--
Regards,
Ron. [AU] - sent by Linux.
