Dear All I've written my own firewall script which is probably a bit over the top but it did help me to learn more about firewalls and why people spend so much time writing them. I'd like to use the SuSE firewals RPM but it's about the only thing in SuSE software that I don't like. Apologies to Marc Huese for saying that. I know he's put a lot of work into it and he continues to do so. I'll look forward to further developments from Marc. What I'd like to know is how to tell my SuSE 7.0 dialup system to start the script at boot time. I can do this with various other bits of useful software but can't work out how to do it with firewalls. Best I've done so far is a small crowd of Red Hat users giving me all sorts of information. Thank you -- Richard http://www.sheflug.co.uk
On Sun, Jan 07, 2001 at 17:08 +0000, Richard wrote:
I've written my own firewall script [ ... ]
What I'd like to know is how to tell my SuSE 7.0 dialup system to start the script at boot time.
Have a look at the /sbin/init.d directory structure (or where the start scripts use to live today, maybe /etc/rc.d/init.d). There's a README and some skeleton script. IIRC the handbook has a chapter about SysV boot mimic, too. At least it did in former times. :) Alternatively you could look at the 'rpm -ql -p firewals' output and see what the SuSE script does to hook into the system. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Try /etc/rc.d/boot.local --- this is SuSE's suggested place for such items. #! /bin/sh # # Copyright (c) 1996 SuSE GmbH Nuernberg, Germany. All rights reserved. # # Author: Florian La Roche <florian@suse.de>, 1996 # Werner Fink <werner@suse.de>, 1996 # Burchard Steinbild <bs@suse.de>, 1996 # # /sbin/init.d/boot.local # # script with local commands to be executed from init on system startup # . /etc/rc.config # # Here you should add things, that should happen directly after booting # before we're going to the first run level. # --Joey Joey Kelly System & Network Administrator ActionBusinessSystems.com && Gimme this! Gimme that! Hurry up or I'll knock you flat!
At 01:31 PM 9/01/2001 -0600, you wrote:
Try /etc/rc.d/boot.local --- this is SuSE's suggested place for such items.
--snip-- . /etc/rc.config # # Here you should add things, that should happen directly after booting # before we're going to the first run level.
WRONG! Do NOT run your firewall from boot.local as it will not initialize properly as your interfaces will not be configured correctly. You SHOULD as stated by someone else, create your own startup script for it (which is very easy to do) --- Nix - nix@susesecurity.com SuSE-Security FAQ Maintainer http://www.susesecurity.com
On Sun, Jan 14, 2001 at 04:40 +1100, Nix wrote:
WRONG! Do NOT run your firewall from boot.local as it will not initialize properly as your interfaces will not be configured correctly. You SHOULD as stated by someone else, create your own startup script for it (which is very easy to do)
Well, it depends. IIRC it was in the ancient ipfwadm times when you had to first up your interfaces and then could reference them in your packet filter rules. This changed with ipchains where you can first setup your filter rules and then configure and activate your NIFs. Although I agree that almost nothing is best put into boot.local and a new script in rc[23].d with an up and down branch would be most appropriate for a packet filter or a network service or other personal daemons, monitors, whatever. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
At 01:31 PM 9/01/2001 -0600, you wrote:
Try /etc/rc.d/boot.local --- this is SuSE's suggested place for such items.
--snip-- . /etc/rc.config # # Here you should add things, that should happen directly after booting # before we're going to the first run level.
WRONG! Do NOT run your firewall from boot.local as it will not initialize properly as your interfaces will not be configured correctly. You SHOULD as stated by someone else, create your own startup script for it (which is very easy to do)
Sorry to interfere here... If a firewall (a packetfilter) needs configured interfaces to work, it's probably not worth the time configuring it. Using ipchains, you can safely fill the kernel with firewall rules for interfaces that it doesn't know yet, and the rules will kick in as soon as the interface is up and running (literally...). This is how it is supposed to be. Having firewall rules initialized _after_ the iface is up means a race condition against the system startup speed. Such a race used to be a problem in Marc's SuSEfirewall a few months ago.
Nix - nix@susesecurity.com SuSE-Security FAQ Maintainer
Nix, how do we get together with linking the FAQ to http://www.suse.de/security ?
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
* Richard wrote on Sun, Jan 07, 2001 at 17:08 +0000:
I'd like to use the SuSE firewals RPM but it's about the only thing in SuSE software that I don't like.
You don't like the SuSE firewall script and that's the onliest thing you don't like (please correct me if I missunderstood!)? Well, I don't like it too, but there are other things that are not made perfect I think :) But I use SuSE since it's a very good distribution but that's not topic for this list :)
What I'd like to know is how to tell my SuSE 7.0 dialup system to start the script at boot time.
$ $PAGER /etc/rc.d/README
I can do this with various other bits of useful software but can't work out how to do it with firewalls.
Keep care that your script don't need environment variables and other things that are not set up correctly dureing bootup. Maybe the PATH ist not set correctly? Check the error messages. Don't forget to set the interpreter in the first line (i.e.: "#!/bin/bash"). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Sun, Jan 07, 2001 at 05:08:47PM +0000, Richard wrote:
Dear All I've written my own firewall script which is probably a bit over the top but it did help me to learn more about firewalls and why people spend so much time writing them. I'd like to use the SuSE firewals RPM but it's about the only thing in SuSE software that I don't like. Apologies to Marc Huese for saying that. I know he's put a lot of work into it and he continues to do so. I'll look forward to further developments from Marc.
What I'd like to know is how to tell my SuSE 7.0 dialup system to start the script at boot time. I can do this with various other bits of useful software but can't work out how to do it with firewalls. Best I've done so far is a small crowd of Red Hat users giving me all sorts of information.
Why do you want to start the script at boot time? Do you have always the same IP address? I also wrote my own firewall-script but its starting from /etc/ppp/ip-up - it runs every time new connection is established with exported variable $LOCALIP. -- Jarosław Kamper jarekkam@alpha.net.pl UIN: 35713516 http://www.kki.net.pl/~jarekkam Registered Linux User # 165846 -- ---- -WIRTUALNY SERWER DEDYKOWANY- Bezkompromisowo najlepsza oferta dla Twojej firmy! http://www.virtual.alpha.pl ----
participants (7)
-
Gerhard Sittig -
Jarosław Kamper -
linux@actionbusinesssystems.com -
Nix -
Richard -
Roman Drahtmueller -
Steffen Dettmer