netfilter firewalling problems and solutions

Archaic archaic at indy.rr.com
Wed Feb 18 19:51:19 PST 2004


On Wed, Feb 18, 2004 at 07:43:30PM -0700, ken_i_m at elegantinnovations.net wrote:
> On Tue, Feb 17, 2004 at 11:09:05AM -0600, Dagmar d'Surreal (dagmar.wants at nospam.com) wrote:
> 
> >   While it might seem more convenient to lob all of these rules into one
> > script so they are all in the same place, their existence is atomically
> > tied to the active presence of a service daemon.  For this reason we're
> > better off putting rules to allow each activity into the init.d script
> > for that daemon.
> 
> Disagree.  To make it work "lob" is not a verb that leads to a good 
> solution but breaking the firewall up into pieces and sprinkling it over a 
> number of daemon init scripts is not conducive to sanity.

Same here. A well commented script should work fine. Or at least a
modular one that calls (from within the main script) the modules.

A simple one that I use for blacklists is this:

if [ -f /etc/blacklist ]; then
        for i in `cat /etc/blacklist`; do
                $IPT -A OUTPUT -o $InFACE -d $i -j LOG \
                   --log-prefix 'BLACKLISTED: ' &&
                $IPT -A OUTPUT -o $InFACE -d $i -j DROP
       done
fi &&

-- 
Archaic

A ``decay in the social contract'' is detectable; there is a growing
feeling, particularly among middle-income taxpayers, that they are not
getting back, from society and government, their money's worth for taxes
paid. The tendency is for taxpayers to try to take more control of their
finances ..

- IRS Strategic Plan, (May 1984)




More information about the hlfs-dev mailing list