Hi, On Mon, 2007-08-20 at 08:59 +0200, Mikael Frykholm wrote: > Andrew Ruthven skrev: > > > > I'm not sure of a Debian recommended way, but a post-up line or a file > > in /etc/network/if-up.d which only runs for the interface you want would > > work okay. > > Hi, > Shouldn't that be pre-up instead? > Otherwise a reboot of the firewall would leave it vulnerable for some > split seconds.
I've just tried this and confirmed my suspicion. This will fail if you
refer to the interface in your firewall. Since the interface isn't up
yet (pre-up) iptables can't find the device to apply the against. So,
not so good if that is how you manage your firewall (which I do to make
sure that only the traffic that is supposed traverse an interface does
so).
Perhaps in the pre-up you could reject all IPv6 traffic and then in the
post-up apply your rules (and leave the default as reject).
I'd be quite interested if there is a better way to make this work.
Cheers!
--
Andrew Ruthven
Wellington, New Zealand
At home: [EMAIL PROTECTED] | This space intentionally
| left blank.
signature.asc
Description: This is a digitally signed message part
