On Mon, 2005-11-07 at 10:38 +0000, Peter Farrow wrote: > One final point, why would you want to change a firewall on runlevel > changes? Oh, I can think of many, many reasons -- from different network services between run-levels to X11 ports. Sometimes you want to block and/or forward based on what is running. > On an internet facing machine this would seem an odd and risky > thing to do... That's why I said _try_ to _always_ leave the "main iptables" script running for _all_ run-levels, then add any supplemental script as necessary. That way ... 1) the "main iptables" script _always_ comes up before any network interfaces 2) is _never_ taken down (except for init 0 or init 6, of course), and 3) any supplemental script can be taking up/down as appropriate for init levels Furthermore, when Red Hat gets more LSB compliant in Fedora Core 5 (so RHEL5 as well), there will be dependency checking. That will ensure iptables is up before any network interfaces come up, and network interfaces are taken down if the iptables rules go down -- depending on configuration. > Get your firewall right, and you never need to change it unless the > function of the box changes, certainly have a firewall change on run > levels seems weird to me.... That still ignores the fact that you should let the "main iptables" script run _before_ any network interfaces come up ... not after. Several people pointed that out. ;-> I think you're reaching at this point -- just let it go. Use what you wish, but respect why many may disagree. From what I've seen, you're asserting things that just aren't true with regards to run-levels. No offense, but if you don't like SysV init, run BSD. @-ppp -- Bryan J. Smith b.j.smith@xxxxxxxx http://thebs413.blogspot.com ---------------------------------------------------------------------- The best things in life are NOT free - which is why life is easiest if you save all the bills until you can share them with the perfect woman