Firewalling 90% complete & tested, questions about writing tone

Kelly Anderson cbxbiker at comcast.net
Thu Apr 29 16:16:17 PDT 2004


Dagmar d'Surreal wrote:
 > That was the exact idea.  The only cases in which it might not function
 > properly are instances where services are brought up, and an interface
 > changes substantially (new IP address, for example) and _then_ the
 > services are brought down.  Removal of iptables rules kind of assumes
 > that everything is the way it was when they were brought up.  Still,
 > this isn't anything that a reboot won't eliminate, and in the meantime
 > it will just mean netfilter directives get left around that don't
 > actually do anything.  I don't see this as a super-huge problem since on
 > a multi-interfaced system, you typically want to bind the services
 > themselves to a given interface if at all possible, and you may as well
 > restart them when that IP changes anyway.

It's not too hard to solve that problem.  Something along these lines
will take care of it.  Have your iptables script write the interface's
IP to /var/run/dhcpc/iptables-${IF_UNSECURE).info.  This is part of a
script that I put in /etc/cron.hourly.  You can probably figure out how
you'd want to incorporate it in your stuff.

# Sets IF_UNSECURE
. /etc/firewall/firewall.conf

if [[ x${ROLE} == xfirewall ]]; then
# Sets IPADDR
   if [[ -f /var/run/dhcpc/dhcpcd-${IF_UNSECURE}.info ]]; then
     . /var/run/dhcpc/dhcpcd-${IF_UNSECURE}.info
   else
     . /etc/dhcpc/dhcpcd-${IF_UNSECURE}.info
   fi

# Sets IPT_IPADDR
   . /var/run/dhcpc/iptables-${IF_UNSECURE}.info

   if [[ x${IPADDR} != x${IPT_IPADDR} ]]; then
     /etc/rc.d/init.d/iptables restart
   fi
fi



More information about the hlfs-dev mailing list