[sclug] Firewalls

lug at assursys.co.uk lug at assursys.co.uk
Sat Oct 25 09:05:31 UTC 2003 

On Mon, 13 Jan 2003, Tom Dawes-Gamble wrote:

> Hi Tim,
> 
> 	I wonder if we are reading the same book.  Linux Firewalls
> published by New Riders?  I've had my copy for ages so may be you have a 
> newer version.  Anyway page 115 is talking about traceroute.

Looks like Tim has the second edition, like me. ;-)

> 	The one reason that you might not want to invoke iptables commands
> at the comand line is that you may enter a rule such as that you stop
> all incoming traffic and then open up to spacific addresses.  So your
> connected over an IP connection and you stop yourself sending the command
> to open up your connection.
> 
> 	If you use a script then if you pull the rug from under your feet 
> the script may coninue and put the rug back.  If you are on the console
> there is no rug to pull out. :-)

I think that's what Ziegler's getting at - don't change firewall rules
across a network connection as you may find that connection gets blocked
partway through, leaving you unable to add further rules which would
otherwise allow the connection to proceed.

> Regards,
> Tom.
> 
> 
> On Mon, Jan 13, 2003 at 06:01:38PM -0000, tim wrote:
> > Can anyone help - I'm sure it is a simple question.
> > 
> > I am working through Bob Ziegler's Firewall book.
> > On page 115 (If you have it) He says Do not attempt to invoke specific
> > iptables reules from the command line.
> > On the previous page he had pointed to a shell script
> > /etc/rc.d/rc.firewall
> > 
> > He says to execute the shell script from the console.
> > 
> > What does this mean ? I have looked thru the firewall HOW-TO and that does
> > not mention it which makes me think that it is very basic stuff
> > that I just haven't twigged.

Ziegler is assuming that you're going to create /etc/rc.d/rc.firewall as per
the guidance in his book.

> > My thoughts are to start a shell by running bash fromthe command line, but
> > 1. I thought the command line was bash

It is.

> 2. That still does not explain the
> > /etc/rc.d/rc.firewall which does not exist on my system .

Which means you'll need to create it.

If you're running RH though, and want to fit in with the way RH does things,
you'll probably want to edit /etc/sysconfig/iptables instead of creating
rc.firewall.

> > Any help would be much appreciated - thanks
> > Tim Holmes

HTH,
Alex.
-- 
Alex Butcher        Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK                        Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950                           <http://www.assursys.com/>

More information about the Sclug mailing list