> 1) What option is the best: at first I set the default > policies in the chains and later I flush all the existing > firewall rules or viceversa ??? > > 2) Is it a good practice to start the iptables firewalling > rules from the rc.local script or is it better from the > /etc/init.d/iptables script ??? (I use RH 9 and I start > iptables from rc.local) I'd : - stop kernel forwarding, - set the default policy (to DROP), - flush the chains (even if you think they're empty ; it won't hurt), - create the rules I need, - if needed, start kernel forwarding, - let the script start from /etc/init.d/iptables, or whatever the script is called. The reason for the last step is that you want the iptables script started as quick as possible, so that there is (virtually) no time to hack the machine before the rules are loaded. Best would be to start the script first and then start the network so that the network isn't up before the rules are loaded. If you start it from /etc/rc.d/rc.local the script is started at the very end of the startup sequence and then the network is already started for some time. Gr, Rob
