Zitat von "Curby ." <kirbysdl@xxxxxxxxxxx>: > In what order should i have /etc/init.d/network and my iptables setup script > (henceforth called "iptables") start? > > If network starts first, netfilter defaults all filter chains in ACCEPT > policy, so there's a tiny chance that someone could do something unwanted. > Is this sufficient reason to start iptables or otherwise change chain > policies before network? I'm thinking yes. > > If iptables starts before network, then network could override settings in > /proc/sys/net when it calls upon /etc/sysctl.conf. Additionally, it would > be harder to identify dynamic IPs, additional IPs set with "ip addr add," > etc. simply because the network isn't up yet. We do it this way : Load a really tiny iptables script with /etc/init.d/boot.local to set all default policy to drop and only add a rule for SSH connect. The boot.local is started after initial boot processes but before any run level 1 tasks. With the standard run-level scripts load the full firewall scripting *after* the network start. This is because we do some MAC-address hard-coding only working after the network is started. With this script we also tune the network security parameters. Regards Andreas
