[CentOS] Start scripts ordering
Aleksandar Milivojevic
alex at milivojevic.org
Sun Nov 27 03:57:41 UTC 2005
Phil Savoie wrote:
> Hi All,
>
> Was wondering if you could help me out. At work we are running CentOS 4.2 as
> our mailserver/firewall. The script in question is /etc/rc3.d/S08iptables.
> As this starts before the network adapters are set up, it hoses our iptables
> script resulting in denying our internal hosts internet access.
There shouldn't be the problem with that ordering (first iptables, then
network). What exactly happens? What is in your network configuration
that depends on firewall rules not being loaded?
> What I would like to do is mv the script to /etc/rc3.d/S11iptables so the the
> interfaces are up and then the iptables script kicks in. It is in this way
> that we find it works best for us.
*Very* bad idea. It is possible, but do not do it. You *really* want
to first start iptables, and network only after firewall rules are
loaded. Otherwise you would have race condition when your network
interfaces are completely setup (accepting network traffic), but you
don't have any firewall rules to protect the host (and/or network behind
it, if host acts as firewall). This window when race condition would
exist (if you swap the order of iptables and network) could be as short
as a second or two (on very fast system with only one statically
configured interface), or as long as 10 seconds (or even longer) if you
have many interfaces and at least some of them are DHCP configured.
Even in former case, it can be more than long enough for your system to
get broken into (by some automated tool that scouts the Internet address
space).
Anyhow, if you have problems, it is not the order of iptables and
network startup scripts. Something else is broken in your config. Fix
the real underlaying problem, don't create new problems by fixing the
symptoms only.
More information about the CentOS
mailing list