-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I believe Debian's method of handling iptables is perfect. if-up.d and its counterparts provide a great means for scripting complex firewall sets.
For example, I have written a perl script that parses a custom config file that defines certain IPs and ports and defines/enables a ruleset automatically when the interface is brought up. To maintain an iptables-save ruleset would be much more complex than writing a one time script and editing a configuration file. It can, of course, be argued that you can write custom scripts and run then via other methods, but the way that Debian handles networking scripts creates a warmer invite for this and simplifies this sort of thing. On Wed, January 23, 2008 5:22 pm, Florian Weimer wrote: > * Ondrej Zajicek: > >>> You could also have an 'ENABLED' variable like some files in >>> /etc/default have (so that ports wouldn't be opened by default; the >>> user would have to manually enable them for the port to be opened). >> >> Better way is just not start that daemon. > > The daemon might have been installed by a package dependency, more or > less by accident. Debian should have a policy that all daemons bind to > the loopback interface by default, but as long as this is not the case, > I can understand why people put paket filters on hosts as a safety net. > > On the other hand, at this stage, it's very difficult for Debian as a > distribution to choose what firewall scripting framework should be used. > (But I don't think this is worth the effort.) > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > - -- James Shupe HermeTek Network Solutions http://www.hermetek.com 1.866.325.6207 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iEYEARECAAYFAkeXyKMACgkQVwQZh6k43zooKgCdH4cGLKe5VNd5gqWzwUjqO0fj /NYAoNhVw5dGC09NH7GbzSUp9xtrZTYC =AVJo -----END PGP SIGNATURE----- ---------------------------------------------------------------------- This Email is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and is legally privileged. The information contained in this Email is intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by telephone 1.866.325.6207 and destroy the original message. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]