Question about how to enable fiaif at boot.

Steven W. Orr email hidden
Tue Nov 29 05:23:47 CET 2005 

On Monday, Nov 28th 2005 at 21:43 +0100, quoth Anders Peter Fugmann:

=>Steven W. Orr wrote:
=>> I'm sure this has been discussed before but I just don't get it. The problem
=>> is that whenever I reboot, the firewall is not established. I have to
=>> manually say
=>> service fiaif restart
=>> 
=>> My theory is that this is happening because the ip address of the interface
=>> is not known at the time that service script is executing.
=>Nope. FIAIF should be started before any interfaces are brought up for maximum
=>security.

Ok. But if that's true then what is the mechanism that makes this work if 
the iptables commands were already run *before* the current address is 
known?

=>> Here's my setup: I have a cable modem that talks to my provider's DHCP
=>> server. So theoretically I don't know what my ip address is. In my zone.ext
=>> I have the following two lines.
=>> 
=>> NAME=EXT
=>> DEV=eth0
=>> DYNAMIC=1
=>> GLOBAL=1
=>> IP_EXTRA=""
=>> NET_EXTRA=""
=>> DHCP_SERVER=0
=>Dynamic just means that FIAIF does not apply extra checks for matching IP
=>numbers and networks addresses.
=>
=>> 
=>> The /etc/rc.d/init.d/fiaif has a chkconfig of
=>> # chkconfig: 345 08 92
=>> 
=>> which means that it executes *before* the network script which has this line
=>> # chkconfig: 2345 10 90
=>> 
=>> Am I crazy or shouldn't the chkconfig line in the fiaif script have a start
=>> index > 10 so it executes after the address is known? Am I missing
=>> something?
=>Seems like a problem in your distribution.

You could be right but I doubt it. I'm running Fedora Core 4. Fiaif starts 
on 8 and network starts on 10 so according to what you're saying, 
everything should be correct. The problem is that when the firewall is 
started (on 8) before the netowrk service, the firewall that I end up with 
(visible via iptables -L -n) is a null firewall. The chains were created 
but there's no hard firewall.

Is this making sense?

-- 
steveo at syslang dot net TMMP1 http://frambors.syslang.net/
Do you have neighbors who are not frambors?

More information about the fiaif mailing list