---------- From: Tzafrir Cohen[SMTP:[EMAIL PROTECTED] Sent: Friday, November 23, 2001 12:23 PM To: Lance Levsen Cc: John Mautz; debian-firewall@lists.debian.org; debian-user@lists.debian.org Subject: Re: Auto starting iptables
On Thu, 22 Nov 2001, Lance Levsen wrote: > make an iptables script in /etc/init.d/iptables > chmod 755 this file > > run $ update-rc.d iptables defaults 10 (not sure about this > syntax, read the manpage.) Note, however, that this script will be called again before you shut down the computer (since K??rc.firewall will probably be created in both rc6.d [reboot] and rc0.d [halt]) . In most cases there is nothing wrong with running this script again before shutting down the interface. Note that according to the debin policy, an init.d script should be able to accept 'start', 'stop' and 'restart' as parameters and act accordingly. There's nothing wrong with deviating from the debian policy for your personal system, but then it is your job to guarantee that things still work properly. Also see a message by me from a couple of weeks ago as to why a 'real' init.d firewall script is a good idea. Also note that debian made a strange (IMHO) decision to start networking in the very first stage of the startup scripts: in rcS.d (see /etc/rcS.d/README) . This means that if you have a network interface that is configured through dhcp, then when you boot in 'single', that interface is up, and the dhcp client is connecting to the daemon to accept configuration (or stuck for 1/2 a minute if the network configuration is screwed up) (for those cases you have INIT=/bin/bash , but you should be careful with that one, as it is easy to forget a filesystem mounted before you reboot) This means that if you want to run a script before the network is up, you have to put it in the very first stages of rcs.d . -- Tzafrir Cohen mailto:[EMAIL PROTECTED] http://www.technion.ac.il/~tzafrir Just edit the /etc/init.d/networking rc script and make your iptables script executable from there. That way, when you stop networking services you can clear your firewall rules or reset them. Stef
