[sclug] Firewalls

[lug at assursys.co.uk]

On Tue, 14 Jan 2003, Tom Dawes-Gamble wrote:

> Hi Tim.
> 
> 	Indeed the files in /etc/rc.d/init.d are the start up scripts.
> they use files in /etc/sysconfig to decied how they run i.e. to set variables.
> 
> 	I'm not familiar with Mandrake so I can't say exactly what you need
> 	to do.

It's probably the same as RH. Most Mandrake things are. ;-)

> 	It may not just be a case of renaming rc.firewall to
> 	/etc/sysconfig/iptables.

It isn't. Did I accidently give that impression? Oops. ;-)

> 	On a RH 7.3 /etc/rc.d/init.d/network has a symbolic link
> /etc/rc.d/rc5.d/S10network  and /etc/rc.d/init.d/iptables has a sym link
> /etc/rc.d/rc5.d/S08iptables.   This suggests to me that iptables are
> put in place before networking is started.  ( Makes sence ).

Correct. This avoids a flaw that early versions of CheckPoint's FireWall-1
had...

> /etc/rc.d/init.d/iptables will be invoked by init with the argument "start"
> so any existing tables will be removed and then the tables from
> /etc/sysconfig/iptables will be installed.
> 
> 	From what I can see and from what I know about rc.firewall,
> rc.firewall will not work as you /etc/sysconfig/ipitables file.  The
> file needs to be the correct format for input to /sbin/iptables-restore.

If you use a shell script (i.e. rc.firewall) or whatever to install a
functional set of iptables rules, you can then use

/sbin/iptables-save >/etc/sysconfig/iptables

to save them. Mostly, this file is a list of iptables arguments, so now I've
got one, I generally edit it manually. YMMV though. The only thing that
isn't documented is RH's names for the chains it defines. I'm not sure
whether there will be unexpected side-effects later...

> Regards,
> Tom.

Best Regards,
Alex.
-- 
Alex Butcher        Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK                        Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950                           <http://www.assursys.com/>