Fedora 11
Our previous IT-guy setup iptable rules on our firewall in a way that is confusing me and he didn't document any of it. I was hoping someone could help me make some sense of it.
The iptables service is obviously starting at startup, but the /etc/sysconfig/iptables file was untouched (default values).
I found in /etc/rc.local he was doing this:
# We have multiple ISP connections on our network.
# The following is about 50+ rules to route incoming and outgoing
# information. For example, certain internal hosts are specified here
# to use ISP A connection while everyone else on the network uses
# ISP B connection when access the internet.
ip rule add from 99.99.99.99 table Whatever_0
ip rule add from 99.99.99.98 table Whatever_0
ip rule add from 99.99.99.97 table Whatever_0
ip rule add from 99.99.99.96 table Whatever_0
ip rule add from 99.99.99.95 table Whatever_0
ip rule add from 192.168.1.103 table ISB_A
ip rule add from 192.168.1.105 table ISB_A
ip route add 192.168.0.0/24 dev eth0 table ISB_B
# etc...
and then near the end of the file, AFTER all the ip rules he just declared, he has this:
/root/fw/firewall-rules.fw
He's executing the firewall rules file that was auto-generated by fwbuilder.
Some questions
Why is he declaring all these ip rules in
rc.localinstead of declaring them infwbuilderlike all the other rules? Any advantage or necessity to this? Or is this just a poorly organized way to implement firewall rules?Why is he declaring ip rules BEFORE executing the
fwbuilderscript? I would assume that one of the first things thefwbuilderscript does it get rid of any existing rules before declaring all the new ones. Am I wrong about this? If that was the case, the fwbuilder script would basically just delete all the ip rules that were defined in rc.local. Does this make any sense?Why is he executing all this stuff at startup in rc.local instead of just using
iptables-saveto keep the firewall settings at/etc/sysconfig/iptablesthat will get implemented at runtime?
