On Thu, 2005-11-03 at 07:32, Peter Farrow wrote: > Rc.local is used explicitly for the running of scripts after the system > has booted. It is used as a catchall for things that don't have more explicit scripts using the runlevel mechanism. > Putting your own firewall scripts in here is a good place to put them > rather than relying on "service iptables save", this is because the > visibility of changes is poor when using the "service iptables save" > some one either inadvertantly or otherwise may modify the iptables and > re-issue a "service iptables save" and have it reloaded at boot quite > transparently. I don't follow how using the standard mechanism makes something less visible, or why anyone would think to look in rc.local instead of the usual place. > Having it visible in rc.local makes it easily viewable to see if its > been changed. Compared to?? > I would not trust any system hosted on the net with the rather open > ended "service iptables save". The only benefit that this offers is > that it brings the filewall up early on in the boot process, meaning at > boot time the machine is protected sooner. That's a reasonable point, but if you want to address it you might suggest a different init script linked to the right places in the runlevel directories. Someone might find it there... > To say that putting in rc.local is "not right" is really a bit misguided... It's not the right place for things that need to be adjusted on runlevel changes, although it can be used as a quick fix for not having a proper init script. -- Les Mikesell lesmikesell at gmail.com