On Sun, 2003-12-07 at 23:55, ahg1@swiftdsl.com.au wrote:> Is it feasible (for Shorewall) to figure out which netfilter
> modules should be loaded?
I doubt it -- just because a user doesn''t have any rules that
explicitly
deal with FTP doesn''t mean that the user doesn''t want the ftp
connection
tracking helper loaded -- doesn''t mean that they do either.
Given that Shorewall has to do it''s work without the benefit of
''modprobe'' (because of Leaf/Bering), I think that the current
/etc/shorewall/modules file works OK. It may end up loading more modules
than a user needs but users that are concerned about that can always
comment out the entries for those modules that they don''t need.
One possible improvement would be for Shorewall to detect when
''modprobe'' is present and use it instead of
''insmod''. That would largely
eliminate the need for MODULE_SUFFIX and MODULESDIR.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net