On Thu, Jan 15, 2004 at 01:32:47AM +0100, Jan Minar wrote: > (1) Setup your iptables configuration. > (2) Do ``iptables-save > /etc/iptables.conf''. > (3) Add ``iptables-restore < /etc/iptable.conf'' to /etc/init.d/network.
Instead of altering /etc/init.d/networking, I suggest looking at interfaces(5), particularly: up, pre-up, down and post-down. > Do NOT use /etc/init.d/iptables until it's audited -- there is/was > a potential security breach (see Bug#225805), and other issues are > probably to be discovered. iptables-save is broken in various ways. It can produce output that iptables-restore can not parse. iptables-restore is broken in one spectacular way, having no ability to recover from errors. That can range from broken input (see above) to simply failing because of missing netfilter features, in the kernel or modular. (In other words, trying to load some match or target that it has no kernel support for.) And the error messages iptables-restore produces are not terribly useful. Of course, beyond the typo that caused the bug reported in Bug#225805, the init script in woody also suffers being entirely dependent on iptables-save and iptables-restore. Bug#225805 is corrected in proposed-updates, though not as a security issue. I still recommend not using that init script. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
