Re: Red Hat 7.2 and example firewall script

["Mike A. Harris" <mharris redhat com>]

On Sun, 2 Dec 2001, Stephan André Schmidt wrote:

>> >from 6.2 to 7.1. Now, under 7.2, it seems that this ipchains based
>> script
>> >does not work anymore. I have turned on the ipchains compatibility mode
>> in
>> >the kernel sources but doing a '/etc/init.d/firewallss
>> start/status/stop'
>> >does not give me any output. Does 7.2 not support ipchains based scripts
>> 
>> >anymore?
>> 
>> You have to load the ipchains kernel module via modprobe before
>> using ipchains.
>> 
>> In 7.1, due to a bug, the ipchains module got loaded by accident
>> automatically.
>> 
>
>Does this imply that compiling the ipchains compatibility 'fix' into the 
>kernel does not work?

Not exactly sure what "fix" you're refering to exactly.  My 
comments assume one is using a Red Hat supplied kernel.

If you use the Red Hat supplied kernels, ipchains is supported
via loadable kernel modules.  By default no firewalling modules
are loaded at all.  Red Hat kernels support both ipchains and
iptables firewalling via kernel modules.  It is not possible to 
use both simultaneously nor load support for both simultaneously, 
so whatever firewall software you are using, be it the supplied 
tools, 3rd party tools, or a homemade script, each is responsible 
for loading the kernel modules that it requires.

If using the supplied Red Hat firewall configuration tools, the
appropriate firewall modules should get loaded by the supplied
ipchains or iptables initscripts assuming the given service has
been enabled properly and the firewall properly configured.

If using alternative firewall tools, or homebrew firewall
scripts, you need to manually load either the ipchains module or 
the iptables modules depending on which interface the firewall 
scripts you are using require.  The supplied ipchains/iptables 
initscripts are part of the supplied tools, and are not intended 
for generically loading kernel modules for custom scripts.

If you use custom kernels, you may or may not have to load kernel 
modules depending on how you built the kernel.

There seems to be some confusion lately with ipchains and 
iptables and the supplied initscripts.  I am just clarifying that 
the initscripts are not intended for homebrew scripts.  This is 
probably confused by the choice of names for the initscripts.  
Instead of being called /etc/init.d/ipchains, it probably should 
have been called /etc/init.d/redhat-ipchains-firewall, or 
/etc/init.d/redhat-lokkit or somesuch.

Hope this clarifies things a bit.



-- 
----------------------------------------------------------------------
Mike A. Harris                  Shipping/mailing address:
OS Systems Engineer             190 Pittsburgh Ave., Sault Ste. Marie,
XFree86 maintainer              Ontario, Canada, P6C 5B3
Red Hat Inc.                    Phone: (705)949-2136
http://www.redhat.com           ftp://people.redhat.com/mharris
Red Hat XFree86 mailing list:   xfree86-list redhat com
General open IRC discussion:    #xfree86 on irc.openprojects.net
----------------------------------------------------------------------