Iptables initialization

Tarek W. mailinglists1 at hotpop.com
Wed Feb 18 10:39:40 PST 2004


On Mon, 2004-02-16 at 21:58, Dagmar d'Surreal wrote: [snipped]
> On Sun, 2004-02-15 at 09:20, Tarek W. wrote:
> > in short, I think one ruleset should be living in memory before any
> > interfaces != lo r brought up. then before each new interface is brought
> > up 1/2 rules should be injected by the script, so massive redesign of
> > the scripts shouldn't be needed. regardless of how we go with this,
> > 1/multiple rulesets, can't see why sysvinit scripts should undergo a
> > massive redesign. even in the case where we would want to modify a
> > ruleset on a daemon starting. work can be done on a script similar to
> > /sbin/service in redhat.
> 
> It's all well and good to believe in the existence of rulesets, but you
> should really be more specific.  I can't tell what you're talking about.

I was trying to contrast the idea of one ruleset per device, when it's
brought up, the ruleset is loaded and on the other hand, one global
ruleset (per machine) that always lives in memory.

if we separate the logical structure of the rules by device at the top
level, the overhead (if any) will be irrelevant.

> 
> > in any case, I will take a look at what the hlfs book has on this, I
> > also volunteer to design the ruleset. my credentials will be provided at
> > a later date if the idea is appealing to the group.
> 
> There is no one ruleset that should be applied to everyone's machine, so
> I don't know what it is you're intending to design.

of course there isn't one ruleset applicable to any setup, that's not
what I meant, but for the sake of argument, there is a subset of rules
which should apply to every machine out there:

1) stateful firewalling allowing all out, "related" (in english, not
RELATED) packets in

2) forwarding off

I do understand that the discussion spawned leaf issues, but I thought
the original email intended to initiate a discussion of "common
pratices" for an iptables firewall. in other words, what do we put in
the book concerning firewalling: best pratices *and* how to firewall the
hlfs box.

before I delve any deeper, answer me these pls: "where is the hlfs
book?! am under the impression it doesn't exist yet" and "is this thread
directly pertinent to a subsection of the book which will cover
implementing a firewall on the hlfs box?!"




More information about the hlfs-dev mailing list