On Thu, 2005-11-03 at 07:32, Peter Farrow wrote:
> Rc.local is used explicitly for the running of scripts after the system
> has booted.
It is used as a catchall for things that don't have more
explicit scripts using the runlevel mechanism.
> Putting your own firewall scripts in here is a good place to put them
> rather than relying on "service iptables save", this is because the
> visibility of changes is poor when using the "service iptables save"
> some one either inadvertantly or otherwise may modify the iptables and
> re-issue a "service iptables save" and have it reloaded at boot quite
> transparently.
I don't follow how using the standard mechanism makes something
less visible, or why anyone would think to look in rc.local
instead of the usual place.
> Having it visible in rc.local makes it easily viewable to see if its
> been changed.
Compared to??
> I would not trust any system hosted on the net with the rather open
> ended "service iptables save". The only benefit that this offers is
> that it brings the filewall up early on in the boot process, meaning at
> boot time the machine is protected sooner.
That's a reasonable point, but if you want to address it you might
suggest a different init script linked to the right places in the
runlevel directories. Someone might find it there...
> To say that putting in rc.local is "not right" is really a bit misguided...
It's not the right place for things that need to be adjusted on
runlevel changes, although it can be used as a quick fix for
not having a proper init script.
--
Les Mikesell
lesmikesell@xxxxxxxxx
