[ale] rc.local

Michael H. Warfield mhw at WittsEnd.com
Wed May 31 20:32:42 EDT 2006


Hold the phone Bob...

	I think you are a little out of date and a little off base on some
details...

On Wed, 2006-05-31 at 17:26 -0400, Bob Toxen wrote:
> On Wed, May 31, 2006 at 10:06:31AM -0400, Geoffrey wrote:
> > Terry Bailey wrote:
> > > Thanks, guys, that really fixed things.  Do you know if 
> > > "/etc/sysconfig/iptables" and "service iptables save" work on SUSE 10?  If 
> > > so, I plan to remove Fedora and reinstall SUSE.

> > To my knowledge, the application service does not exist on SuSE.

	Reread that...  He's saying that, the applications "service" (as
in /sbin/service) does not exist on SuSE.  Yeah, I know, without the
quotes, it's confusing to read at first but then it clicks just what
he's saying.  He's not saying the "application service" as in the
"iptables" service application.

> It's hardly an application.  The /etc/rc.d/rc3.d/S##iptables script
> just scans the /etc/sysconfig/iptables file and, for rules, puts
> the text "/sbin/iptables " in front of it and executes.  S##iptables's
> "save" feature just does "iptables -n -L" and parses into the /sbin/iptables
> format.

	No...  Not quite...

	Actually, it is correct that the /sbin/service (and I'll use that
nomenclature to avoid further confusion) is in fact just a shell script
(just not the one you were referring to).  Still an application.  It
just happens to be a shell script application that runs the scripts
in /etc/rc.d/init.d (not the ones in rc3.d which is run by the init
program and the initialization scripts).  It'll run anything
in /etc/rc.d/init.d even if it's not linked to any of the rc.d/rc?.d
directories and even if it doesn't have the "chkconfig" comments that
allow /sbin/chkconfig to configure the rc?.d links for you.  It's a
pretty much agnostic frontend to the init scripts in init.d.

	Further note...  The /etc/rc.d/init.d/iptables script, specifically,
(which is typically symlinked into various rc.d/rc?.d directories),
which is run by the /sbin/service command (or run by hand if you are so
included), does not put the text "/sbin/iptables" in front of each of
the rules and then executes it.  In fact, it feeds the entire file
wholesale into /sbin/iptables-restore (or /sbin/ip6tables-restore in the
case of /etc/rc.d/init.d/ip6tables).

	Also, the "save" feature does not use iptables -L at all and uses
ip[6]tables-save.  Both iptables-restore and iptables-save are core
components of the iptables package (not RedHat specific at all) and are
binary applications residing in /sbin.

	man iptables-restore
	man iptables-save

> You are FAR better off just creating your shell script containing your
> iptables rules.

	Not...  Just the opposite, in fact.

	Running the iptables command for each command is extremely inefficient
(especially for large sets of rules or rules containing dependencies),
from the standpoint of kernel processing, as the kernel tables have to
be processed and searched and re-evaluated internally by the kernel each
time a rule is individually added that way (this is per discussions on
the netfilter mailing list and on the netfilter web site).  That's the
whole reason for iptables-restore.  It's an atomic (atomic vis-a-vis the
netfilter iptables, that is) load and the kernel only has to rebuild its
internal tables once (per table that is).  That's what that "COMMIT" is
at the bottom of the table load.  It tells iptables-restore that this
table set is complete and to commit the load to the tables.  That's once
for the filter table, once for the nat table, once for the mangle table
(as required)...

	Running iptables individually for specific commands is fine for making
changes or small tables but should not be used for initial loads or
wholesale massive changes.

	Your comments MAY have been true for the older ipchains firewall, I
certainly won't dispute that, but is no longer true of the newer
netfilter/iptables packages.

> Btw, SuSE has firewall2 (maybe firewall3 or 4 by now) that is a real
> wrapper for IP Tables.  I'm not impressed with it either because the
> rules it builds are so convoluted that it is impossible to know what
> really is allowed.  Build your own rules or copy them out of your copy of
> "Real World Linux Security".

> > -- 
> > Until later, Geoffrey
> 
> > Any society that would give up a little liberty to gain a little
> > security will deserve neither and lose both.  - Benjamin Franklin
> We sure need Ben's wisdom now!
> 
> Bob Toxen
> bob at verysecurelinux.com               [Please use for email to me]
> http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
> http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
> Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
> 
> "Microsoft: Unsafe at any clock speed!"
>    -- Bob Toxen 10/03/2002

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list