On Mon, Apr 20, 2009 at 12:17 PM, Sthu Deus <sthu.d...@gmail.com> wrote: > Thank You for Your time and answer, Javier: > >> Did you try to use your iptable script in post-up / pre-down hooks at >> /etc/network/interfaces ? I think it is the best solution for that > > But I have to disagree w/ You - for once the network environment > changes that is, say the machine will be out of a net, then the file > running will cease on the interface initialization (or whatever) that > will end up with not started firewall at all - that can be dangerous in > cases of: > > a) there are rules for internal programs communications (that is within > the machine); > > b) if a modem connection will be istablished - the machine will be just > uncovered for the net (?Internet).
Ok, It was only my suggest, I don't have strong opinion about it (thanks for your time and opinion too). > > Personally, I advice the topic author to make a script, make it > running from some /etc/rcN.d, having small number after S. - Then the > firewall will be launched independently on what the current network > environment is. Disadvantage is there is a time between actual > interface initialization moment and the moment the iptables rules are > applied. > I don't like to add a local init script to debian system. Perhaps better adding iptable rules to /etc/rc.local Regards, -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
