[CentOS] Putting nat routing into place permanently? -- service iptables save

Mon Nov 7 10:38:02 UTC 2005
Peter Farrow <peter at farrows.org>

>It's not the right place for things that need to be adjusted on
>runlevel changes, although it can be used as a quick fix for
>not having a proper init script.

One final point, why would you want to change a firewall on runlevel 
changes?  On an internet facing machine this would seem an odd and risky 
thing to do...

Get your firewall right, and you never need to change it unless the 
function of the box changes, certainly have a firewall change on run 
levels seems weird to me....

Regards

Pete





Les Mikesell wrote:

>On Thu, 2005-11-03 at 07:32, Peter Farrow wrote:
>  
>
>>Rc.local is used explicitly for the running of scripts after the system 
>>has booted.
>>    
>>
>
>It is used as a catchall for things that don't have more
>explicit scripts using the runlevel mechanism.
>
>  
>
>>Putting your own firewall scripts in here is a good place to put them 
>>rather than relying on "service iptables save", this is because the 
>>visibility of changes is poor when using the "service iptables save" 
>>some one either inadvertantly or otherwise may modify the iptables and 
>>re-issue a "service iptables save" and have it reloaded at boot quite 
>>transparently.
>>    
>>
>
>I don't follow how using the standard mechanism makes something
>less visible, or why anyone would think to look in rc.local
>instead of the usual place.
>
>  
>
>>Having it visible in rc.local makes it easily viewable to see if its 
>>been changed.
>>    
>>
>
>Compared to??
>
>  
>
>>I would not trust any system hosted on the net with the rather open 
>>ended "service iptables save".  The only benefit that this offers is 
>>that it brings the filewall up early on in the boot process, meaning at 
>>boot time the machine is protected sooner.
>>    
>>
>
>That's a reasonable point, but if you want to address it you might
>suggest a different init  script linked to the right places in the
>runlevel directories.  Someone might find it there...
>
>  
>
>>To say that putting in rc.local is "not right" is really a bit misguided...
>>    
>>
>
>It's not the right place for things that need to be adjusted on
>runlevel changes, although it can be used as a quick fix for
>not having a proper init script.
>
>  
>