On Thu, Sep 14, 2006 at 07:15:18PM -0700, Joshua Penix wrote:
>
> On Sep 13, 2006, at 10:33 AM, Lan Barnes wrote:
>
> >I find I am ambivalent about tools like lokkit, which often do what I
> >want but hide what they do.
>
> The file you're looking for is /etc/sysconfig/iptables. (I think
> Stewart pointed you at an old location.)
>
> All lokkit does is set up the requested rules and then effectively
> call iptables-save to write the contents out to that file. The /etc/
> init.d/iptables script will process the saved rules on startup and
> shutdown. Since all the config files and arguments are bog-standard
> iptables fare, feel free to forsake lokkit and fill/edit that file
> yourself, either by hand or using the iptables tools. (Once you do
> this, beware not to run lokkit (or system-config-securitylevel)
> again, as it will clobber your changes.) You may also find /etc/
> sysconfig/iptables-config interesting and useful.
>
The question, and I'm not sure that it's been answered, is where does
lokkit find the rules it uses to overwrite /etc/sysconfig/iptables and
thus clobber it? Because if one modified lokkit's input to customize it,
one could use it with more granularity.
But in this case, the real cause wasn't any failure in lokkit. It was my
failure to remember to undo it when I needed/wanted less protection.
PEBCAK. (Or is it PEBKAC?)
> Of course it can be painful jumping all the way from a simple GUI
> tool into the arcane command line world of iptables... so the other
> choice would be to use something a little friendlier like Shorewall.
>
Now _that_ is a Big Idea. I always associated Shorewall and siblings
with small Linux and firewall utilities. But obviously it would do the
same Job on a larger box. Thanks.
--
Lan Barnes
Linux Guy, SCM Specialist
Tcl/Tk Enthusiast
If you wish to make an apple pie from scratch, you must first create the
universe.
- Carl Sagan
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
