12.7. How to make your firewall load your firewall policy on reboot

12.7.1. Making the Firewall Load the Firewall Policy After Reboot: iptables

The procedure for ensuring that the firewall loads the policy after reboot depends on what Linux distribution your firewall is based on. Firewall Builder generates the policy in a form of a shell script for the firewall based on Linux and iptables. To activate the policy at boot time, you must execute this script at boot time one way or another.

The standard method is to locate the generated script in the /etc or /etc/firewall directory and add a line at the bottom of the /etc/rc.d/rc.local script (for Mandrake and RedHat systems), the /etc/rc.local script (for Debian, Ubuntu, and derivative systems) or the /etc/init.d/boot.local script (for SuSE systems) as shown below:


When this is done, the firewall script runs when machine executes boot-time scripts. The name of the file is the same as the name of the firewall object in Firewall Builder GUI, with extension ".fw". So, if firewall object name is guardian, then fwbuilder puts generated policy in the file guardian.fw.

Since the firewall policy generated by Firewall Builder is installed by running this script at a boot time, any other firewall startup script that might be supplied by the vendor of your Linux distribution should be disabled. On Mandrake and RedHat systems, this can be done using the following command:

chkconfig --level 2345 iptables off

On SuSE use command

chkconfig -e

and change state of services as follows:

SuSEfirewall2_final       off
SuSEfirewall2_init        off
SuSEfirewall2_setup       off

(There must be better way to turn firewall off on SuSE, but we do not know it.)

Another method to get firewall policy automatically installed at boot time uses scripts supplied by Mandrake or RedHat. You still need to copy the generated script to the firewall machine and execute it there. (This can be done using installer scripts fwb_install or fwbinstaller.) Once the policy has been tested and works as expected, you just execute service iptables save to save the policy. Now the policy will be activated at a boot time if the iptables service is active. You can make it active on Mandrake and RedHat using the following command:

chkconfig --level 2345 iptables on


The script generated by Firewall Builder does more than just set iptables rules; it also adds virtual IP addresses to the interfaces of the firewall and configures kernel parameters. It can get real IP addresses of interfaces with dynamic addresses and checks if interfaces are present and "up" at the time when firewall policy is applied. The standard scripts iptables-save and iptables-restore only manage iptables rules; other tasks performed by the script generated by Firewall Builder will not be done upon reboot if you use this method. Restarting the Firewall Script when an Interface Address Changes

The Firewall policy script generated by Firewall Builder for iptables firewalls needs to be restarted every time the IP address of a dynamic interface changes. This section explains why is it so and how this can be done.

The iptables firewall policy script generated by Firewall Builder determines the IP addresses of all dynamic interfaces and assigns them to variables, which it then uses in the policy rules. This helps to build rules that require knowing the address of the interface correctly, such as anti-spoofing rules. On the other hand, if interface's address changes after the policy has been loaded and activated, the firewall script needs to be restarted.

The firewall can be restarted from one of the scripts that get called by PPP or DHCP daemons whenever the connection is established or a new address lease is obtained. For example, the DHCP daemon distributed with all major Linux distributions calls a script named dhclient-exit-hooks when a new DHCP lease is obtained. To restart the Firewall Builder-generated firewall script after a new DHCP lease is obtained, add the following lines to the dhcclient-exit-hooks.



The location of the dhcclient-exit-hooks can vary, but it is usually found in either /etc or /etc/dhcp3, depending on your system. You may have to create the file if it does not exist already. Check for the proper file location by running the man dhclient-script command.

See man page dhclient-script(8) for a detailed explanation.


On SUSE systems, you should use YAST to configure this. Start the YAST control center, go to "System", then "Editor for /etc/sysconfig files" in the right panel, and when the editor appears, choose "Network/DHCP/DHCP client" in the tree and edit "DHCLIENT_SCRIPT_EXE".

The PPP daemon calls the /etc/ppp/ip-up script when the connection is established and the IP address obtained. This script can be used to restart the firewall as well. Just as with dhclient-exit-hooks, just add a call to the /etc/firewall/firewall.fw script at the bottom of the /etc/ppp/ip-up file.


The "/etc/firewall/firewall.fw" file should be replaced everywhere with the real name of the firewall script. Firewall Builder stores firewall commands in the file with the name the same as the name of the firewall object, with an extension ".fw".


Currently, Firewall Builder requires restart of the firewall script only on iptables firewalls. Firewalls based on OpenBSD pf do not require a restart, because pf can dynamically load IP address of the interface when it changes. Currently, on ipfilter and ipfw firewalls address of the dynamic interface has to be entered in the GUI, or it cannot be used in the rule. This limitation will be removed in the future versions of the product.


Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.