On Mon 02/Dec/2019 10:35:26 +0100 Andrei POPESCU wrote: > > You might want to install iptables-persistent, otherwise you'll have to > roll-out your own solution.
I'm not using iptables-persistent, but just looked at it out of curiosity. Its LSB: ### BEGIN INIT INFO # Provides: netfilter-persistent # Required-Start: mountkernfs $remote_fs # Required-Stop: $remote_fs # Default-Start: S # Default-Stop: 0 1 6 # Short-Description: Load boot-time netfilter configuration # Description: Loads boot-time netfilter configuration ### END INIT INFO S also starts in single-user mode, i.e. without network? $remote_fs requires ip links to be already set up? Stop, for good measure, does nothing. The comment in the script is crisply nice: stop) # Why? because if stop is used, the firewall gets flushed for a variable # amount of time during package upgrades, leaving the machine vulnerable # It's also not always desirable to flush during purge echo "Automatic flushing disabled, use \"flush\" instead of \"stop\"" ;; > In the particular case of iptables instead of writing a script you > should probably just reuse your existing rules file and load that with > an 'iptables-restore' from the .service unit. That's somewhat questionable in some cases. I'd recommend to write a script with iptables commands rather than interactively issue iptables command until you are satisfied with the current setup. That's natural, since iptables doesn't give a visual feedback, so reasoning is your best friend. IOW, a commented script is more readable than an interactive setup. Then, since you have a script, why not run it directly, rather than saving/restoring its results? > We are quite far from the original topic so I would suggest you start a > new thread in case you need assistance with this. I try, but don't reset References:/In-Reply-To: header fields. Best Ale
signature.asc
Description: OpenPGP digital signature