[ale] Interesting Firewall Issue

James P. Kinney III jkinney at localnetsolutions.com
Fri Dec 6 22:40:57 EST 2002


On Fri, 2002-12-06 at 22:25, Jonathan Glass wrote:

> Added the firewall script to S99local, and now it works!  Weird!
> 
Not really. The update set the firewall script to run at some time
during boot up. The entire process of starting networking and firewall
take a few seconds. Your firewall was being run on its schedule as S98,
the the RH firewall was _finally_ running afterwards which includes
flushing all current firewall rules. When you moved yours to S99, the RH
had time to finish and yours overwrote the RH rules.

On RH8 (and others) the firewall init is BEFORE the networking (S08
firewall and S10 network). That is good for having the security in place
when the netline goes hot, but it is slow to start. The firewall has to
poll for working networking. If your firewall starts between networking
up and the next RH poll time, it gets loaded and then dumped when RH
poll says to run.

A better solution is to start the firewall in two stages. The first
stage has no rules and all defaults are to drop everything. Then start
networking. This setup does not require polling as there are no
interfaces specified and no rules to setup and associate with
interfaces. Now start networking. Then start the real firewall init with
the specialized rules and interfaces.

And a final admin trick from another Aler, when you change firewall code
on a remote box, do it with a script that has a wait time and the
ability to restore the old firewall if not killed with in a certain time
frame. Neat trick to save crosstown drives :)
-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



 This is a digitally signed message part




More information about the Ale mailing list