Iptables initialization

ken_i_m at elegantinnovations.net ken_i_m at elegantinnovations.net
Thu Feb 12 22:19:27 PST 2004


On Thu, Feb 12, 2004 at 04:54:49PM -0600, Dagmar d'Surreal (dagmar.wants at nospam.com) wrote:
> (With respect to a host's participation in a network, it means that the
> machine should initially respond to *no* packets whatsoever.  When a
> host is acting as a firewall, it is especially important that this be
> the case, and as to routers, it's actually documented in an RFC for
> machines acting as routers that they should have their policies in place
> before enabling any interface for routing.)

Which RFC?

> *snip*
> 
> Since in the LFS-bootscripts firewalling is not atomically tied to the
> starting of the network (and trust me on this, trying to do it on a
> per-interface basis is not a clean solution... been down that road and
> came back tired)

(Long trip?  Uphill all the way?)

I have noticed that the network is initialized and working before the 
firewall.  A gap.  One I have never measured but always assumed (at least 
while I did not have time to do anything about it in any case) to be small 
enough that it was an OK tradeoff.

> *snip* ... it's going to require
> adding some new functionality to _many_ of the init.d scripts.  I've
> just about got this all solved, but I want to see if there are any fresh
> ideas to this end before I publish my solutions because someone just
> might come up with something unique and useful.

I look forward to reviewing your solutions.

Bootscript related thought:
As a result of a recent post on one of the other lfs lists I have been 
giving some spare mental cycles to daemontools and runit.  Prior to said 
post I had been experiencing growing discomfort with the hackish hair 
growing on some rc scripts that handle the startup/shutdown of a database 
server, a netware share, and an ungodly number of cronjobs that run to 
check if custom apps are running and restart them if they have died.
-- 
I think, therefore, ken_i_m
Chief Gadgeteer, Elegant Innovations
Founder, Bozeman Linux Users Group
(406) 581-0495



More information about the hlfs-dev mailing list