On Wed, 2003-08-27 at 14:12, Murray J. Brown wrote:The first paragraph of the document you were quoting from must not have stood out enough. I understand the frustration of things being different between distributions, and I have made the mistake of missing a critical piece of information that is already documented more than once. I hope this helps.
BTW, the author's note was not a cop-out; it was actually an insightful
remark, albeit terse and presumptive of some sophistication on the part
of the user.
I continue not to agree on this count. The note provided didn't say anything about _why_ it shouldn't be used. From a position of ignorance (newbie), I can infer, but can't know. Is it a security issue? A maintenance issue? Potential conflict with another commonly customized subsystem? Something else entirely?
The author suggests he was "hounded" into providing it, despite the unexplained misgivings he had. I think his appropriate response if he thought there were serious problems with the approach would have been to say "write it yourself if you think it's appropriate - I don't".
Then, whoever wanted it would be responsible for making it work, explaining it, etc. As it is, he let the people who wanted it off the hook (so they don't take any responsibility), but he doesn't say why he doesn't think it should be used either - leaving people who don't have the background to do it without his contribution in the dark and uncertain. He's got a secret, but he isn't telling.
[begin the big secret] $ head -11 /etc/default/iptables # /etc/init.d/iptables defaults file
# INTRODUCTION: First thing first, I must warn you. The iptables # init.d setup and iptables tools themselves are VERY much capable # of locking you out of network services. This includes remote and # local network services, even localhost. You can even block local # console logins if authentication is network based. And please do # not be lulled into a false sense of security because you simply # installed the iptables package. It really does not provide a # firewall or any system security. # [end the big secret]
So, to me it seems the author of the init.d script didn't want to make it because if you had saved some bad rules, it was slightly possible that you couldn't log into your system again after rebooting. I think it is good that they point out that just installing the iptables package doesn't provide a firewall or system security. They do go on to give directions on how to save and restore iptables rules after you have set them up. He doesn't talk about how to set up 'firewall' or 'nat' or any other rules in iptables (presumably) because the package isn't a firewall package. It is an 'IP packet filter administration tools' package.
In the longer term, tying the rules to the network inits seems sensible.I hope that the network interface up/down scripts works for you. I agree it seems sensible (I just don't care to implement it myself at the moment.)
Cheers,
Bret
Jacob
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
