On Thu, 2005-11-03 at 07:32, Peter Farrow wrote:
Rc.local is used explicitly for the running of scripts after the system has booted.
It is used as a catchall for things that don't have more explicit scripts using the runlevel mechanism.
Putting your own firewall scripts in here is a good place to put them rather than relying on "service iptables save", this is because the visibility of changes is poor when using the "service iptables save" some one either inadvertantly or otherwise may modify the iptables and re-issue a "service iptables save" and have it reloaded at boot quite transparently.
I don't follow how using the standard mechanism makes something less visible, or why anyone would think to look in rc.local instead of the usual place.
Having it visible in rc.local makes it easily viewable to see if its been changed.
Compared to??
I would not trust any system hosted on the net with the rather open ended "service iptables save". The only benefit that this offers is that it brings the filewall up early on in the boot process, meaning at boot time the machine is protected sooner.
That's a reasonable point, but if you want to address it you might suggest a different init script linked to the right places in the runlevel directories. Someone might find it there...
To say that putting in rc.local is "not right" is really a bit misguided...
It's not the right place for things that need to be adjusted on runlevel changes, although it can be used as a quick fix for not having a proper init script.