[hipl-users] Re: hipfw as a service in Centos/RHEL/FC
- From: Miika Komu <miika.komu@xxxxxxx>
- To: hipl-users@xxxxxxxxxxxxx
- Date: Thu, 27 Nov 2008 00:21:35 +0200
Robert Moskowitz wrote:
Greetings pilgrim,
Well pilgrims progress.
I have my first system built with rpms and hipd and hipfw running as
deamons at boot time....
So there is a script at /etc/rc.d/init.d/hipfw that starts (or stops)
the hipfw deamon.
It starts with following to 'pull in the sysconfig settings":
[ -f /etc/sysconfig/hipfw ] && . /etc/sysconfig/hipfw
I am ASSUMING that since this file does not exist, the default in
/etc/hip will still be used.
Then there is:
OPTIONS="-bklp"
Since I want to allow every HIP packet so far, and this is userspace
hipl, I should change this to:
OPTIONS="-Aibklp"
Yes. You can also use -F instead of -A if you want to disable the
connection tracker gain some extra speed.
The IPsec is disabled by default because Fedora 10 (released yesterday)
and Ubuntu intrepid have already BEET. And the -A options remains there
to remind people that it can filter HIP and ESP traffic. But I can be
convinced otherwise.
Is there anyway to control these in the hipfw config file so as not to
change the script? Or some other way to control this?
Well, one logical place to do this would be /etc/hip/firewall_conf but
currently it is used only for ACLs. I filed a feature request on this id
(684) so that we don't forget about it. (I wouldn't hold my breath on it
because we have other priorities currently)
Other related posts:
