* Gerhard Sittig wrote on Mon, Jun 12, 2000 at 22:11 +0200:
On Mon, Jun 12, 2000 at 20:41 +0200, Winfried Trautsch wrote:
Escaping the colon is not sufficiant (especially when you don't know how many times the parameters get passed down the chain from the rc.config(?) parameter bundle to the shell assigning the value and evaluating it -- how is the variable's name generated?).
Well, it's some kind of variables that perl calls a symbolic reference I think. Personally I don't like this style of coding, especially in security relevant scripts. So you may write your own script or patch it; but IMHO the SuSE-Firewall isn't really flexible, since is a design issue. If you don't prefere to lose functionality, make it your own :)
You didn't get the first message: A colon is something that doesn't fit into a variable's name!
Well, I don't think that Winfried has a lot of experience in shell scripting, he has just tried out a modification, ain't?
Background: Some IRC-Servers reject the connection, if it comes from a nameserver. As the primary nameserver for my domain runs on the firewall, I had to put up another IP-Adress for DNS.
That's where I would even think about moving the DNS server away from the firewall and instead hide it inside _behind_ a filter.
You're right, but keep in mind that there are some small networks out there :) Maybe there are not enough machines to deploy a DNS Server on another host. OK, a SuSE bind package isn't installed chroot with a own user AFAIK, so I wouldn't use such a config in production. Bind had some problems last time...
I really would think more than twice before putting "real" functionality on any firewall except for filters and logging mechanisms.
Yepp, but maybe that's the onliest linux/un*x machine there, who knows. Anyway, I don't think it's a solution to set up a new server when a script is just to silly to do the work, IMHO. And there may be other cases things go wrong on such a design, but don't thing I know or use the SuSE firewall script (I took a look once upon a while and I didn't like it, but's this was years ago IIRC). My firewall setup logs via syslog, which is mailed or "SMSed" to me, and the script catches up errors when executing the ipchains command. It may be a good idea to add such a feature to the SuSE firewall script, if possible (and neccesary). About firewalls and services: It's better to have a packet filter on a dns server like no packet filter IMHO :). BTW: just a packet filter is no real firewall in my opinion, it's just a packet filter :). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.