On Fri, Dec 01, 2023 at 10:42:13PM +1100, Ralph Ronnquist wrote:
> On Fri, Dec 01, 2023 at 03:58:30AM -0700, Bob Proulx via Dng wrote:
> > Joel Roth via Dng wrote:
> > > But it doesn't start during system boot.
> >
> > > $ ls /etc/rc2.d | grep firewall
> > > S02firewall
> >
> > I think S02 is too early. That would put it in parallel with eudev
> > coming online on my system.
>
> Note that rsS.d/ scripts are run well before rc2.d/ so that change
> would raise the firewall much earlier rather than later. Otoh that's a
> good thing since the firewall should go up before or as soon as the
> network is functional.
Also rcS.d/ scripts are only executed once, whereas those
in rc(n).d/ are executed whenever the run level is entered.
Thanks!
> Ralph.
>
> >
> > > #! /bin/sh
> > > ### BEGIN INIT INFO
> > > # Provides: firewall
> > > # Required-Start:
> > > # Required-Stop:
> > > # Should-Start:
> > > # Should-Stop:
> > > # Default-Start: 2 3 4 5
> > > # Default-Stop:
> > > # Short-Description: Initialize firewall
> > > # Description: Start nft firewall settings for desktop
> > > # Applies to first wifi device
> > > ### END INIT INFO
> >
> > If we look at the shorewall init script we will see it says this.
> >
> > # Required-Start: $network $remote_fs
> > # Required-Stop: $network $remote_fs
> > # Default-Start: S
> > # Default-Stop: 0 1 6
> >
> > Which leads me to believe something similar would be good for your
> > firewall script too. I would modify to the same thing. That will
> > move it a little bit later in the boot process and after the network
> > devices exist, but in single user mode before any daemons have been
> > started so nothing is listening on the network yet.
> >
> > > do_start () {
> > > #WLAN=`cat /proc/net/wireless | perl -ne '/(\w+):/ && print $1'`
> > > # above isn't available until wifi device is associated
> > > WLAN=`iwconfig | perl -ne '/(wlan\d)/ and print $1'`
> > > export WLAN
> > > log_action_msg "Starting firewall on wifi device $WLAN"
> > > perl -pe 's/WLAN/$ENV{WLAN}/' /etc/nft-firewall > /etc/nft-firewall-wifi
> > > nft -f /etc/nft-firewall-wifi
> > > }
> >
> > Just as commentary rather than bring this online during boot time
> > statically which is really meant for static things this might be
> > better served by running from the /etc/network/if-*.d/ dynamic
> > triggers, or their equivalent with whichever manager you are running,
> > which runs event driven after the interface is brought online.
> > Assuming that your Wi-Fi is dynamic using a wifi manager. If it is
> > static then of course the boot time is fine.
> >
> > Bob
> > _______________________________________________
> > Dng mailing list
> > Dng@???
> > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>
--
Joel Roth
::
Re: [DNG] Sysvinit script doesn't t…
