FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 01-14-2011, 09:34 PM
Bob Proulx
 
Default networking

Paul Cartwright wrote:
> Bob Proulx wrote:
> > I think you did put that in there. It has that look. As to whether
> > it /should/ be there... well *I* wouldn't put it there. :-) I think
> > that type of reloading belongs elsewhere such as in an if-up.d/*
> > script. But I don't know about your firewall setup. I could guess
> > something like this in /etc/network/if-up.d/local-firewall using your
> > current config as a template.
>
> I just googled it and found this:
> http://www.linuxquestions.org/questions/ubuntu-63/where-is-iptables-config-file-584024/
>
> There's no default. You can set your iptables config anywhere you want.
> Add a "pre-up" line to your //etc/network/interfaces/ file, calling
> the/iptables-restore/ command. Say you choose //etc/example.txt/ - in
> your //etc/network/interfaces/ file you'd have a line like:
> Code:
>
> pre-up iptables-restore < /etc/example.txt

> This loads the iptables config before the network interfaces are put
> online. BTW, make sure you never edit your config file manually.
> Populate it with a /iptables-save/ command, like:
> Code:
>
> iptables-save > /etc/example.txt

But in that case I think the intention would be to associate it with
the eth* device and not the lo device.

To be clear you had:

auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/firewall-rules

I was going "ew..." about having it associated in time with the lo
device coming online. If you move that down to the eht0 device then I
wouldn't have made that comment. I mean something like this from your
example:

auto eth0
iface eth0 inet static
address 192.168.10.2
netmask 255.255.255.0
dns-nameservers 4.2.2.3 208.67.222.222 208.67.220.220 4.2.2.2 192.168.10.1
gateway 192.168.10.1
pre-up iptables-restore < /etc/firewall-rules

Associated with the eth0 device that looks okay to me. I would move
it from the lo device to the eth0 device. The example you referenced
didn't say specifically which device to associate it with and so left
that part as an exercise to the reader.

Also it isn't required but I think it looks a lot easier to read if
the associated parts are indented. This is also as shown in the
interfaces documentation.

man interfaces

Indented more like this would be nice.

auto eth0
iface eth0 inet static
address 192.168.10.2
netmask 255.255.255.0
dns-nameservers 4.2.2.3 208.67.222.222 208.67.220.220 4.2.2.2 192.168.10.1
gateway 192.168.10.1
pre-up iptables-restore < /etc/firewall-rules

The reason it is working for you associated with the lo device is that
both lo and eth0 are coming online at the same time because both are
configured for you as 'auto' devices. Therefore they come online at
boot time with '/etc/init.d/networking start'. So I assume that it is
working, I am not saying it is not. But if you were to manipulate lo
and eth0 individually for any reason then the pre-up would be reloaded
when you restarted lo but not for eth0. That is the part that seemed
odd to me. Because I would think the firewall rules would be tied to
eth0 and you would want to load them when eth0 comes online. Of
course once in totality at system boot time might be just fine for you
too. Or maybe you do only want the firewall rules loaded when lo
comes online. But it seemed odd and so I commented about it. YMMV.

Bob
 
Old 01-14-2011, 09:45 PM
"Bonno Bloksma"
 
Default networking

"Bob Proulx" wrote:

>> Bonno Bloksma wrote:
>>> I have been wondering about this and have not seen any definitive
>>> documentation, or if there is, I have not understood it.
>>> Does "auto" imply "allow-hotplug"? If not, should I have both
>>> auto eth0 eth1
>>> and
>>> allow-hotplug eth0 eth1
>>> lines in my interfaces file?
>>
>> AFAIK, allow-hotplug makes the interface come up only when a cable
>> is plugged in. auto makes the interface come up at boot time
>> regardless of the cable state.

>You are exactly correct. Having 'auto' is the old way that starts
>networking with '/etc/init.d/networking start'. But that does not
>enable event driven actions such as link status change from plugging
>and unplugging the cable. For that you need 'allow-hotplug'. But
>that new way doesn't enable '/etc/init.d/networking restart' to do
>anything.

Aha, so that is why I had to restart my entire Debian machine every time I
made a change in my networking setup. I tried network restart like I used to
with our RedHat (Fedora, CentOS, etc) configurations but it never worked
properly.

>Since hotplugging is the new way the debian-installer now sets that up
>for new systems. Using an event driven network configuration is
>definitely an improvement in general and the right direction to go.
>But us old-timers who want to be able to restart the networking then
>find that '/etc/init.d/networking restart' doesn't do anything. For
>that we also need 'auto' to be present.

Ok, I will add both to my interfaces file. That should cover all situations.

Bonno Bloksma



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/000a01cbb43c$c1de9b60$459bd220$@bloksma@tio.nl
 
Old 01-14-2011, 09:56 PM
Paul Cartwright
 
Default networking

On 01/14/2011 05:34 PM, Bob Proulx wrote:
> the eth* device and not the lo device.
>
> To be clear you had:
>
> auto lo
> iface lo inet loopback
> pre-up iptables-restore < /etc/firewall-rules
>
> I was going "ew..." about having it associated in time with the lo
> device coming online. If you move that down to the eht0 device then I
> wouldn't have made that comment. I mean something like this from your
> example:
oh, wow, I totally MISSED that, now I see what you mean, thanks!
I added your script anyway to the ip-up.d/firewall-rules , that looks
more better
took it out of interfaces. It actually didn't do what I want anyway, the
file It used was dated, and had not been updated with recent changes!


--
Paul Cartwright
Registered Linux user # 367800


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D30D494.2040508@pcartwright.com">http://lists.debian.org/4D30D494.2040508@pcartwright.com
 
Old 01-14-2011, 10:14 PM
shawn wilson
 
Default networking

On Jan 14, 2011 5:56 PM, "Paul Cartwright" <debian@pcartwright.com> wrote:

>

> On 01/14/2011 05:34 PM, Bob Proulx wrote:

> > the eth* device and not the lo device.

> >

> > To be clear you had:

> >

> > * auto lo

> > * iface lo inet loopback

> > * pre-up iptables-restore < /etc/firewall-rules

> >

> > I was going "ew..." about having it associated in time with the lo

> > device coming online. *If you move that down to the eht0 device then I

> > wouldn't have made that comment. *I mean something like this from your

> > example:

> oh, wow, I totally MISSED that, now I see what you mean, thanks!

> I added your script anyway *to the ip-up.d/firewall-rules , that looks

> more better

> took it out of interfaces. It actually didn't do what I want anyway, the

> file It used was dated, and had not been updated with recent changes!

>


If you do that, you might want to put something that cleans up those iptables rules in if-down.d. don't recall if iptables will chain rules if you're -Appending rules, but it might cause issues. Though, I suppose if there hasn't been issue so far with that in your interfaces file, there shouldn't be issue here. That said, its my general rule to make sure things clean up after themselves anyway...
 
Old 01-14-2011, 11:19 PM
Jimmy Wu
 
Default networking

On Fri, Jan 14, 2011 at 16:31, Bob Proulx <bob@proulx.com> wrote:
> Paul Cartwright wrote:
> I think you did put that in there. *It has that look. *As to whether
> it /should/ be there... well *I* wouldn't put it there. *:-) I think
> that type of reloading belongs elsewhere such as in an if-up.d/*
> script. *But I don't know about your firewall setup. *I could guess
> something like this in /etc/network/if-up.d/local-firewall using your
> current config as a template.
>
> #!/bin/sh
> case $IFACE in
> * *eth*)
> * * * *iptables-restore < /etc/firewall-rules
> * * * *;;
> esac
> exit 0
>
> That will run your command whenever any eth* device is brought up.
>
> Personally I like the shorewall package quite a bit for setting up
> firewalls.

I use ferm - it has a nice config file syntax that closely mirrors
iptables command syntax, and it's been a set and forget thing since it
"starts" during boot as an rc script in /etc/init.d/ by loading the
firewall rules and you can use the stop start restart commands to
enable/disable the firewall.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTimjZ0KWZLRc-a4ACa_EkTiSj3Y3j_+ndsqNM7tr@mail.gmail.com">http://lists.debian.org/AANLkTimjZ0KWZLRc-a4ACa_EkTiSj3Y3j_+ndsqNM7tr@mail.gmail.com
 
Old 01-14-2011, 11:25 PM
Tom H
 
Default networking

On Fri, Jan 14, 2011 at 4:31 PM, Bob Proulx <bob@proulx.com> wrote:
> Paul Cartwright wrote:
>> Bob Proulx wrote:
>>
>> #iptables loaded here:
>> pre-up iptables-restore < /etc/firewall-rules
>
> That looks like something local to your system. *It seems like an odd
> place to put that. *It looks like someone was trying to reload the
> firewall rules at startup time but didn't know about the directory of
> scripts /etc/network/if-up.d/* and so associated the timing with the
> loopback device coming online instead. Eww...
>>
>> did I put that iptables entry in? I don't remember.. should it be there?
>
> I think you did put that in there. *It has that look. *As to whether
> it /should/ be there... well *I* wouldn't put it there. *:-) I think
> that type of reloading belongs elsewhere such as in an if-up.d/*
> script. *But I don't know about your firewall setup. *I could guess
> something like this in /etc/network/if-up.d/local-firewall using your
> current config as a template.
>
> #!/bin/sh
> case $IFACE in
> * *eth*)
> * * * *iptables-restore < /etc/firewall-rules
> * * * *;;
> esac
> exit 0
>
> That will run your command whenever any eth* device is brought up.

See http://wiki.debian.org/iptables because it suggests the
"/etc/firewall-rules" location.

I usually put the equivalent of "/etc/firewall-rules" (so without
using "iptables-restore") in "/etc/network/if-pre-up.d" because I want
the firewall up before the network's brought up. Using "pre-up" in
"/etc/network/interfaces" is basically the same thing, AFAIK.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTimM7FHgTyim7uE06iFHP9G3616t3g__MsWgH6kf@mail .gmail.com">http://lists.debian.org/AANLkTimM7FHgTyim7uE06iFHP9G3616t3g__MsWgH6kf@mail .gmail.com
 
Old 01-14-2011, 11:30 PM
Tom H
 
Default networking

On Fri, Jan 14, 2011 at 6:14 PM, shawn wilson <ag4ve.us@gmail.com> wrote:
> On Jan 14, 2011 5:56 PM, "Paul Cartwright" <debian@pcartwright.com> wrote:
>>
>> I added your script anyway *to the ip-up.d/firewall-rules , that looks
>> more better
>> took it out of interfaces. It actually didn't do what I want anyway, the
>> file It used was dated, and had not been updated with recent changes!
>
> If you do that, you might want to put something that cleans up those
> iptables rules in if-down.d. don't recall if iptables will chain rules if
> you're -Appending rules, but it might cause issues. Though, I suppose if
> there hasn't been issue so far with that in your interfaces file, there
> shouldn't be issue here. That said, its my general rule to make sure things
> clean up after themselves anyway...

+1

I flushi and delete the rules and set the policies to ACCEPT in
"/etc/network/post-down.d".


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTimNBZoLBZVHcC-SdZoFJZP7E_96bpkYLq2_QPna@mail.gmail.com">http://lists.debian.org/AANLkTimNBZoLBZVHcC-SdZoFJZP7E_96bpkYLq2_QPna@mail.gmail.com
 
Old 01-15-2011, 01:57 AM
Andrew McGlashan
 
Default networking

Bob Proulx wrote:

The more typical use would be with a dhcp device. Which would look
like this:

auto eth0
allow-hotplug eth0
iface eth0 inet dhcp


Okay, well the debian squeeze rc1 installer doesn't add "auto eth0" for
dhcp. That explains why the networking comes up delayed ... it still
comes up though, just not as quickly.



# cat interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp


Just tried the rc1 last night ;-)


--
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4D310D23.6020608@affinityvision.com.au">http://lists.debian.org/4D310D23.6020608@affinityvision.com.au
 
Old 01-15-2011, 06:45 AM
Andrei Popescu
 
Default networking

On Vi, 14 ian 11, 19:19:01, Jimmy Wu wrote:
>
> I use ferm - it has a nice config file syntax that closely mirrors
> iptables command syntax,

I prefer shorewall because it has a very intuitive syntax.

> and it's been a set and forget thing since it
> "starts" during boot as an rc script in /etc/init.d/ by loading the
> firewall rules and you can use the stop start restart commands to
> enable/disable the firewall.

Same

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 
Old 01-16-2011, 02:19 PM
Osamu Aoki
 
Default networking

Hi,

It seems Bob explained good basics but I think there is some other
confusion here.

On Fri, Jan 14, 2011 at 08:13:38PM +0530, Mihira Fernando wrote:
> AFAIK, allow-hotplug makes the interface come up only when a cable
> is plugged in.

No when device becomes available to Linux kernel even if wires are not
plugged. The wiring event is something you need ifplugd to take care.

> auto makes the interface come up at boot time
> regardless of the cable state.

http://www.debian.org/doc/manuals/debian-reference/ch05.en.html#list-of-stanzas-in-eni
(I read the source to ome up with this table).

auto is old name for allow-auto which starts itself by the initialization script.

allow-hotplug is new and it starts when the device becomes available to
Linux kernel.

Osamu


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110116151904.GA12217@debian.org">http://lists.debian.org/20110116151904.GA12217@debian.org
 

Thread Tools




All times are GMT. The time now is 08:26 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org