The /etc/init.d/ipchains script flushes all rules on shutdown. I suggest
that this is dangerous. Recomended action: have it default-deny and flush
rules on shutdown. Alternatively: have it do nothing on shutdown.
An "accept" action for the script should be added to do what the "stop" one
The problem with that is that if someone wants to disable their firewall,
say to use the machine without a firewall at all, their machine is now
firewalled off completely.
I agree with what you are saying though, but any solution needs
to take every circumstance into consideration. The ipchains script
on "stop" should put the system back into the state it was when
the script was started. So perhaps we could have the rc.sysinit
set the default firewall policy first, and then ipchains script
would read that setting and act appropriately. Unfortunately,
doing this by default would kill DHCP completely and possibly other
Feel free to add more thoughts to help try to come up with an adequate
It might suffice just to desist from flushing the rules at shutdown. It could
check for $CONFIRM if there isn't already a better way to do this.
Defering for future consideration.
I've decided against this enhancement as I dont believe it
is a good idea for the general case.