On Tue, 2007-07-03 at 21:16 +1000, Amos Shapira wrote: > As a long-time debian advocate, I'm hanging my head in shame about > this - the above behaviour is the single advantage I found with FC/RH > over latest Debian. As far as I can tell, Debian Sarge used to have > some provisions for saving/restoring iptable rules automatically which > were removedin Etch. I can buy the argument that the "industry best > practice" dictated this removal but still it's a shame that each > individual Debian sys admin has to figure out scripting of the > iptavles-save/-restore on boot.
The below comment is not meant as an "in your face, ha ha" reply. Seriously. "Securing Debian Manual" ( http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html which claims to be up to date to 18 May 2007) encourages people to - in this order - use graphical rule builder interfaces, write and maintain their own SysV firewall init scripts (and the given example script is quite complex) or manually configure the pre-up/pre-down hooks in /etc/network/interfaces. I think this is really bad. The only good thing in the above document is that one of the tools suggested in the first section is shorewall which is a brilliant firewall management script and ever since I started working with it (several years back) I never recommend people to use anything else - but it receives equal exposure as KNetFilter and bastille - which is not very encouraging. -- Oded ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
