On Fri, 13 Dec 1996, Martin C. Walker wrote:
> oh great ! funny how that never makes it into the sales literature <grin>
> I wonder what's comming *IN* during policy reload !
> anyone know where can I find out about the other "known problems"
> apart from qualix ?
This brings up a nice operational tip for all of you "roll-your-own"
If you're installing a packet filter on a Unix box acting as a router
(isn't that redundant? why a packet filter on a non-routing box?) then
you should be sure to install your policy _before_ you start passing
traffic. Since most tools won't allow you to assign policy to non-extant
interfaces, the easiest way to do it is:
1) ifconfig your interfaces
2) install your filtering policy
3) install your routing policy
If you do this, then you avoid these problems. When using a machine with
SysV-style init, it's as easy as putting separate scripts in your init.d
directory (using a common config file and some creative scripting makes
things much easier) and then using the S?? invocation from the various
rc?.d directories to ensure they're invoked in the proper order. If
you're anal, you might want to do some file-locking to make sure that no
routes are installed before the filter is in place.
Todd Graham Lewis Linux! Core Engineering
Mindspring Enterprises tlewis @
com (800) 719 4664, x2804