kernels, binutils, and stable releases

Robert Connolly robert at linuxfromscratch.org
Mon Apr 18 09:39:50 PDT 2005


On April 18, 2005 11:29 am, Archaic wrote:
> It
> seems to me that blocking port 80 (for example) would be a system-wide
> policy and not one that required that a daemon that uses port 80 is on
> the box. I do believe the rules should be *configured* in each relevant
> package's page, but I don't see the need for an overly cumbersome
> attachment of hooks just to use those rules. If someone had to have a
> modular set of rules, then the main ruleset that sets default policy can
> include thoses ala /etc/profile.d type files (/etc/firewall.d?). That
> might be nice, though it doesn't actually add or remove any
> functionality to the actual running of the firewall, it does allow us to
> configure things individually.

/etc/rc.d/init.d/iptables could be the start/stop script which 
loads /etc/rc.d/init.d/firewall/default, which has the definitions for 
internal and external IPs, etc. The bootscripts could 
install /etc/rc.d/init.d/firewall/sshd, and /etc/rc.d/init.d/sshd would have:

start)
 if [ -x /etc/rc.d/init.d/firewall/sshd ] ; then
  loadproc /etc/rc.d/init.d/firewall/sshd start
 fi
 loadproc sshd

stop)
 killproc sshd
 if [ -x /etc/rc.d/init.d/firewall/sshd ] ; then
  loadproc /etc/rc.d/init.d/firewall/sshd stop
 fi

firewall/sshd can be -x by default, or whatever. This way a usable example is 
installed, but you don't have to use it. Any personalized rules, like 
redirecting or whatever, can be in /etc/rc.d/init.d/firewall/default.

?

robert



More information about the hlfs-dev mailing list