Dale Dellutri
2005-Nov-04 16:42 UTC
[CentOS] Putting nat routing into place permanently? -- service iptables save
Peter Farrow wrote:>Rc.local is used explicitly for the running of scripts after the system >has booted. >Putting your own firewall scripts in here is a good place to put them >rather than relying on "service iptables save", this is because the >visibility of changes is poor when using the "service iptables save" >some one either inadvertantly or otherwise may modify the iptables and >re-issue a "service iptables save" and have it reloaded at boot quite >transparently. >...Visibility aside, isn't rc.local much too late for setting up iptables? My /etc/rc.d/rc3.d/ has an S08iptables and an S10network, then lots more, including an S99local, and then after all this, rc.local is run. By this time, the network has already been up. It seems to me that if you want to do some iptables setup, it must be done before S10network, or it leaves a short-time security hole. Personally, I set up the iptables I want and then do service iptables save If I was worried about changes, I guess I'd modify S08iptables to check that nothing has changed, or add an S07checkiptables script. (This is my first post to this mailing list, so I hope I've done it correctly.) -- Dale Dellutri
Bryan J. Smith
2005-Nov-04 20:13 UTC
[CentOS] Putting nat routing into place permanently? -- service iptables save
Dale Dellutri <dale at EckhardtTrading.com> wrote:> Visibility aside, isn't rc.local much too late for setting > up iptables?As at least 1 other has mentioned as well.> My /etc/rc.d/rc3.d/ has an S08iptables and an S10network, > then lots more, including an S99local, and then after all > this, rc.local is run.FYI ... (Fedora Core 3) ... $ ls -la /etc/rc5.d/S99local ... /etc/rc5.d/S99local -> ../rc.local> By this time, the network has already been up. It seems to > me that if you want to do some iptables setup, it must be > done before S10network, or it leaves a short-time security > hole.Again, as at least 1 other has mentioned as well.> Personally, I set up the iptables I want and then do > service iptables save > If I was worried about changes, I guess I'd modify > S08iptables to check that nothing has changed, or add an > S07checkiptables script.Such can be done with a conditional like ... [ "`rcsdiff /etc/sysconfig/iptables`" != "" ] Which will return true if the file hasn't changed from the last RCS check-in (which should be the last edit ;-).> (This is my first post to this mailing list, so I hope I've > done it correctly.)Wrong! @-ppp -- Bryan J. Smith | Sent from Yahoo Mail mailto:b.j.smith at ieee.org | (please excuse any http://thebs413.blogspot.com/ | missing headers)