[sclug] Firewalls

Tom Dawes-Gamble tmdg at hp.com
Sat Oct 25 09:05:31 UTC 2003 

Hi Tim.

	Indeed the files in /etc/rc.d/init.d are the start up scripts.
they use files in /etc/sysconfig to decied how they run i.e. to set variables.

	I'm not familiar with Mandrake so I can't say exactly what you need to do.

	It may not just be a case of renaming rc.firewall to /etc/sysconfig/iptables.

	On a RH 7.3 /etc/rc.d/init.d/network has a symbolic link
/etc/rc.d/rc5.d/S10network  and /etc/rc.d/init.d/iptables has a sym link
/etc/rc.d/rc5.d/S08iptables.   This suggests to me that iptables are
put in place before networking is started.  ( Makes sence ).
/etc/rc.d/init.d/iptables will be invoked by init with the argument "start"
so any existing tables will be removed and then the tables from
/etc/sysconfig/iptables will be installed.

	From what I can see and from what I know about rc.firewall,
rc.firewall will not work as you /etc/sysconfig/ipitables file.  The
file needs to be the correct format for input to /sbin/iptables-restore.


Regards,
Tom.


tim wrote:
> Thanks for the help guys - you have given me some usefull clues.
>  Found the bit about rc.firewall in the appendix B
> 
> 
> Had been under the impression that you opened up a shell and started
> typing in the iptables commands and by doing so slowly built up the
> firewall.
> Have looked at the rc.firewall and realised that I can created a bash
> shell with all those environment variables and use that or just create a
> file that is the full script.
> I am running Mandrake 8.2 and have installed it as a firewall but do not
> seem to have the /etc/sysconfig/iptables file. I do have
> /etc/rc.d/init.d/iptables which says it is a Startup script to implement
> /etc/sysconfig/iptables. So I guess I have to create that in a similar
> manner to rc.firewall.
> 
> 
> I know some of this may seem obvious to you but I am and OS390/Windows
> techie trying to move to Linux in my spare time
> 
> 
> Thanks again for your help
> 
> 
> -----Original Message-----
> From: lug at assursys.co.uk [mailto:lug at assursys.co.uk]
> Sent: 13 January 2003 19:29
> To: Tom Dawes-Gamble
> Cc: tim; Sclug
> Subject: Re: [sclug] Firewalls
> 
> 
> On Mon, 13 Jan 2003, Tom Dawes-Gamble wrote:
> 
> 
>>Hi Tim,
>>
>>	I wonder if we are reading the same book.  Linux Firewalls
>>published by New Riders?  I've had my copy for ages so may be you have a
>>newer version.  Anyway page 115 is talking about traceroute.
> 
> 
> Looks like Tim has the second edition, like me. ;-)
> 
> 
>>	The one reason that you might not want to invoke iptables commands
>>at the comand line is that you may enter a rule such as that you stop
>>all incoming traffic and then open up to spacific addresses.  So your
>>connected over an IP connection and you stop yourself sending the
> 
> command
> 
>>to open up your connection.
>>
>>	If you use a script then if you pull the rug from under your feet
>>the script may coninue and put the rug back.  If you are on the console
>>there is no rug to pull out. :-)
> 
> 
> I think that's what Ziegler's getting at - don't change firewall rules
> across a network connection as you may find that connection gets blocked
> partway through, leaving you unable to add further rules which would
> otherwise allow the connection to proceed.
> 
> 
>>Regards,
>>Tom.
>>
>>
>>On Mon, Jan 13, 2003 at 06:01:38PM -0000, tim wrote:
>>
>>>Can anyone help - I'm sure it is a simple question.
>>>
>>>I am working through Bob Ziegler's Firewall book.
>>>On page 115 (If you have it) He says Do not attempt to invoke specific
>>>iptables reules from the command line.
>>>On the previous page he had pointed to a shell script
>>>/etc/rc.d/rc.firewall
>>>
>>>He says to execute the shell script from the console.
>>>
>>>What does this mean ? I have looked thru the firewall HOW-TO and that
>>
> does
> 
>>>not mention it which makes me think that it is very basic stuff
>>>that I just haven't twigged.
>>
> 
> Ziegler is assuming that you're going to create /etc/rc.d/rc.firewall as
> per
> the guidance in his book.
> 
> 
>>>My thoughts are to start a shell by running bash fromthe command line,
>>
> but
> 
>>>1. I thought the command line was bash
>>
> 
> It is.
> 
> 
>>2. That still does not explain the
>>
>>>/etc/rc.d/rc.firewall which does not exist on my system .
>>
> 
> Which means you'll need to create it.
> 
> If you're running RH though, and want to fit in with the way RH does
> things,
> you'll probably want to edit /etc/sysconfig/iptables instead of creating
> rc.firewall.
> 
> 
>>>Any help would be much appreciated - thanks
>>>Tim Holmes
>>
> 
> HTH,
> Alex.
> --
> Alex Butcher        Brainbench MVP for Internet Security:
> www.brainbench.com
> Bristol, UK                        Need reliable and secure network
> systems?
> PGP/GnuPG ID:0x271fd950
> <http://www.assursys.com/>


-- 
There are 10 sorts of people.
Those that understand Binary and those that don't.

More information about the Sclug mailing list