Eric Wood wrote:
lsmod tells me that ip_conntrack_ftp is loaded but I want to
understand how it got loaded. It was not defined in these files:
/etc/sysconfig/iptables-config
/etc/rc.d/*
/etc/modprobe.conf
Is this particular module loaded by the kernel so some other special way?
thanks,
-eric wood
First, I am NOT an expert at this. But the following is my impression
of how
firewall (iptables) modules get loaded.
Whenever, the system boots, a set of "saved" iptables rules is loaded from
/etc/sysconfig/iptables.save
This is a text file, but the rules are in a somewhat more "machine" oriented
format.
The netfilter code in the kernel that actually implements the packet
filtering
requires various modules be loaded to perform the tests and actions
required by each of these rules. I believe that the kernel (or the iptables
utility) automatically loads the modules required by each rule when that
rule is handed over to the kernel for incorporation into the netfilter
"tables".
So that short answer is: the modules required by the rules in
/etc/sysconfig/iptables.save are automatically loaded when the rules are
loaded.
Can anyone confirm or contradict this belief?
BTW, something that is not often mentioned is that if you reconfigure
the firewall
manually, say by typing iptables command lines directly, you can update the
iptables.save file by means of
/sbin/service iptables save
and have the new set of rules loaded on each boot.
I'll actually miss the sysVinit system if it gets replaced by something else
in Fedora. It has a lot of administrative features such as that which
has often given
me more fine-tuned control than most of the GUI's available.