>>>>> Kinglok, FONG <[email protected]> writes:
>>>>> Ivan Shmakov <[email protected]> wrote:
>>>>> Kinglok, FONG <[email protected]> writes:
>>>>> Jonathan Yu <[email protected]> wrote:
>> Thank you Jonathan for writing the nice blog article and it works.
>> But it requries some customization in debian Lenny.
>> For some reason, the script in /etc/network/if-pre-up.d/ doesn't
>> load up by default.
> Did you set the execute permission on the script?
> # chmod +x /etc/network/if-pre-up.d/SCRIPTNAMEHERE
> Sure. However, Lenny doesn't load the scripts.
Sounds like Debian Bug#540123?
http://bugs.debian.org/540123
>>> I apparently used /etc/network/if-pre-up.d (I can't remember the
>>> reasoning why, but I guess it's useful to make sure you load the
>>> rules prior to bringing the interfaces up, which means the rules
>>> will be there once network connectivity is brought up)
>> You have to explicitly call it from /etc/network/interfaces like:
>> auto eth0
>> iface eth0 inet static
[...]
>> pre-up /etc/network/if-pre-up.d/iptables
> It somewhat defeats its advantage of /not/ having it mentioned
> for each of the host's interfaces.
> In my case, the gateway got three NICs, one for internet, one for DMZ
> and one for LAN inside. Loading the iptables once is enough for all.
Yes.
> So, one instance of
> pre-up /etc/network/if-pre-up.d/iptables
> is enough.
The point here is that it doesn't feel quite The Right Way, at
least to me.
First of all, the `pre-up' command is going to be run prior to
bringing this particular interface up. Other interfaces may get
set up earlier, and won't be protected with the firewall until a
bit later.
Second, it makes the configuration somewhat fragile. Consider,
e. g., that the administrator, for whatever reason, removes the
interface referencing the iptables script from the `auto' list,
like:
- auto eth0 eth1 eth2 .. ethN-1 ethN ethN+1 ...
+ auto eth0 eth1 eth2 .. ethN-1 ethN+1 ...
iface eth0 inet static
...
iface eth1 inet static
...
iface eth2 inet static
...
iface ethN inet static
...
pre-up /whatever/iptables
...
This change, while having nothing to do with the pre-up option,
effectively disables firewall for /all/ the interfaces, which
may be surprising.
While this particular case is probably of minor importance, the
particular mind pattern behind it seems to me harmful.
--
FSF associate member #7257
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
