Rainer Ellinger <[EMAIL PROTECTED]> writes: > Olaf Meeuwissen wrote: > > Better yet, forget the whole /etc/default/iptables stuff and set your > > firewalling up through appropriate scripts in the > > /etc/network/if-*.d/ directories. For an idea on how you could go > > Is there any better reason than "forget about it" for your approach?
Unless the latest iptables has fixed it, there is a small window of vulnerability with the init.d approach. Looks like it did. See http://bugs.debian.org/135599 and http://bugs.debian.org/140428 > How do you update single rules in running configs? Very carefully :-) Seriously though, from the command line with "iptables ..." just like you do. If the changes are supposed to survive reboots and run level changes, I just put them in a shell script in the /etc/network/if-*.d they belong in. > With /etc/init.d/iptables, you make your changes with "iptables ..." > and save the whole ruleset with "/etc/init.d/iptables save active". If > your're afraid of loosing remote connection while experimenting with > rulesets, you may save your working config to a new name and schedule > (with cron/at) a "/etc/init.d/iptables load SavedBackupNameblabla" > before your start changing anything. As far as I can tell, you can still do that even if you have none of the /etc/rc?.d/ symlinks. > It's also easy to have several different iptables setups or versions > and backups. How do you achieve this with your solution? You could check for the current run level or an environment variable in the scripts and adapt to that if you need that kind of flexibility. Probably not a very clean solution, but it should work. The only systems I see a need for that level of flexibility are laptops that change environments frequently. For these cases you have to redo the network device set up anyway. Okay, add DHCP clients to the list. Now here's an interesting problem! For versions and backups, put your scripts in CVS or some such. > I can't see any benefits. I see FW setup as an integral part of network device configuration, not as some separate activity that has to be performed during boot and run level changes. Your view may be different. Besides, it plugged existing iptables holes at the time I set it up. # The maintainer has also expressed his dislike for the init.d script # on several occasions (see /etc/defaults/iptables). -- Olaf Meeuwissen Epson Kowa Corporation, CID GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 LPIC-2 -- I hack, therefore I am -- BOFH -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
