manually adding rules w/ firestarter installed
 

Hi All,

I have firestarter installed on my Centos 4.4 box and it works well. I want to add more specific rules manually from the command line and not mess up my firestarter rule set. Is this a good idea?

I've noticed that firestarter stores its entries in the /etc/firestarter directory and if I add manual entries they are stored in /etc/sysconfig/.

Is it possible to use both firestarter and manual entires together?

Thanks.

Is it possible to use both firestarter and manual entires together?
Short answer: yes and no ;-p

Long answer: your box comes with it's own iptables package. It's firewalling rules live in /etc/sysconfig/iptables. Using "iptables", these rules are loaded into kernel land. Firestarter is (amongst other things) a tool to help build rules. Using "iptables", these rules are loaded as well. I don't know if they are added to or override the default CentOS rules but it would be easy to find out by looking at the chain names as the default RHEL package uses distrinct naming. Furthermore, if you manually add rules *and* configure iptables to save rules on "service" reload or reboot it will only affect /etc/sysconfig/iptables. This means Firestarter no longer has access to all rules unless it uses something like "/sbin/iptables -n --line-numbers -t $TABLENAME -L $CHAINNAME" which I doubt. You can view this as a positive argument for mucking around manually with rulesets because you always have "untainted" Firestarter rules to fall back on (provided the service loads on boot *and* overrides the default ruleset) or a negative argument if you need to rely on one central tool to administer the firewall. As with most things GNU/Linux the choice is yours.

* Of course I could be horribly wrong. I vaguely remember playing with Firestarter a few times but that was ages ago.