where to execute guarddog script?

[mceachrw]

i am using fc2, kernel 2.6.9-1.6_FC2, iptable 1.2.9-2.3.1, guarddog 2.2.0.

i used guarddog to create a set of firewall rules. guarddog then generated a script /etc/rc.firewall that can be ran to apply the rules. i ran the script (after adding /sbin/modprobe ip_conntrack_tftp to get the tftp sever to work) and everything seemed to work as i wanted. after that, i ran /sbin/service iptables save to save the rule set /etc/sysconfig/iptables.

i rebooted to make sure everything worked from a clean boot, but it did not. the ruleset seemed to load fine, but i believe there some other lines in the /etc/rc.firewall script that need to be ran as well. i know one is /sbin/modprobe ip_conntrack_tftp.

i know i need to run the /etc/rc.firewall script at boot. how and where is the proper place to do this? also, do i need to anything whenever a network interface is brought up or down?


from the guarddog README:
Guarddog generates a shell script at /etc/rc.firewall which should be run at
boot time.

* Mandrake Linux - runs /etc/rc.firewall at boot time by default which
is good. But most other distributions are not setup like this. The firewall
should be run before any network interfaces are enabled.

* SuSE & Debian - can be setup to run the firewall at boot time by appending
the following lines to /sbin/init.d/boot.local for SuSE and for Debian
use /etc/init.d/bootmisc.sh.

# Guarddog
if [ -r /etc/rc.firewall ]; then
. /etc/rc.firewall
fi

Thanks to Björn Breitsprecher and Carsten M. Schademann for help with this.

* Other Distributions - I expect that running the firewall script at boottime
on other Linux distributions follows similar lines at SuSE above. Basically
find a suitable boot script and add some lines to execute the rc.firewall
file if it exists.

If you figure out how to start Guarddog at boot time for your particular
distribution, please send me an email and let me know how.

Network Interface Up/Down
-------------------------
The firewall script that Guarddog creates needs to be run when ever an
network interface is brought up or down. In fact if Guarddog is not run
after a network interface is brought up then the firewall *should* stop
all traffic through that interface. This is a security feature.

* Mandrake Linux and maybe Redhat - Unfortunately this isn't as simple as
I would hope... The Mandrake networking scripts have 'hooks' which can
be used to for getting things like firewalls run whenever a network
interface is brought up or down. Log in as root and execute the next two
commands:

ln -s /etc/rc.firewall /sbin/ifup-local
ln -s /etc/rc.firewall /sbin/ifdown-local

[Jman]

The last lines from the readme about Red Hat seem the most promising.

Code:

ln -s /etc/rc.firewall /sbin/ifup-local
ln -s /etc/rc.firewall /sbin/ifdown-local

I believe these get run when an interface goes up or down.

The iptables firewall service is defined in the /etc/rc.d/init.d/iptables script.

[mceachrw]

ln -s /etc/rc.firewall /sbin/ifup-local
ln -s /etc/rc.firewall /sbin/ifdown-local

that did the trick. everything worked as desired after a reboot, /sbin/ifdown eth0 and /sbin/ifup eth0. i should have tried this before posting, but i did not want to mess up a mission critical server. it is running mythtv. my wife would have fit if she missed a recording.

thanks,
rusty