>
> Strangely, I cannot find where these directories are documented.
> Could you provide a pointer, please?
The 'interfaces' manpage contains some information about
/etc/network/if-*.d directories and exported variables. There are also
some examples in /usr/share/doc/ifupdown/examples/.
>>> ... Also, is there any good reason to change the firewall
>>> configuration as the interfaces are brought up and down at all?
>>
>> Yes, when iptables rules need some parameters such as interface name,
>> address... which are variable.
>
> Any particular example to consider?
>
>> This is rather common for PPP interfaces.
>
> Well, yes, though I'd consider using the `unit' pppd(8) option
> to fix the interface name once and for all.
"unit" is not always enough. An example is a PPP server which accepts
multiple clients simultaneously and gives each one a different address.
A script in /etc/ppp/ip-up.d/ can use the interface name and the remote
address to block IP spoofing by clients :
iptables -A FORWARD -i $PPP_IFACE -s ! $PPP_REMOTE -j DROP
Another example is when an interface gets a dynamic address and you want
to create a DNAT rule that matches only on that address :
iptables -t nat -A PREROUTING -d $PPP_LOCAL -p tcp --dport <port> \
-j DNAT --to <server>:<port>
You cannot do that with a static ruleset.
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment