> > (2) everything 'up' and functional once booted
> > (3) no inadvertent exposure by firewall before it's fully up
>
> In the general case it's really, really difficult to achieve that
Heh, so I've gathered. (2) I've managed. (3), tbh, I'm not sure I've done well
-- at least DURING the boot process.
> Eg, an ethernet interface will come up almost instantly, a PPP interface will
> take a variable length of time (and may not even come up straight away). I
> suppose you could add a "post up" clause to your network config to add
> iptables rules to block all traffic on the interface until the firewall gets
> (re)started.
Sure. The devil's in the details.
Complete/timely firewall protection througout the boot-operate-shutdown cycle
is, hopefully, a not uncommon goal.
However, as you've pointed out -- getting it done at each variable step is
challenging. Doing the same given my aforementioned jungle of dependencies is,
at best, a bit opaque.
I've scribbled out a state map, single-stepping through the boot-up process --
which daemon is up, in which state, when -- to start at for a bit.
Triggering the 'right' shorewall state, at the right time is the challenge. I
suppose, Exec{Post,Pre}{Start,Stop} is one approach. A *messy* approach ...
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
