I have a comprehensive blocklist which is loaded and unloaded from /etc/sysconfig/firewall.local by a script (blacklist.sh) at startup which creates drop rules in the CUSTOMFORWARD and CUSTOMINPUT tables.

********************************************* !/bin/sh # Used for private firewall rules

# See how we were called. case "$1" in start) ## add your 'start' rules here

/usr/local/bin/blacklist.sh INPUT append ;; stop) ## add your 'stop' rules here

/usr/local/bin/blacklist.sh INPUT delete ;; reload) $0 stop $0 start ## add your 'reload' rules here ;; *) echo "Usage: $0 {start|stop|reload}" ;; esac *********************************************

It would appear that firewall.local script is called from /usr/lib/firewall/rules.pl with

#Reload firewall.local if present if ( -f '/etc/sysconfig/firewall.local'){ run("/etc/sysconfig/firewall.local reload");

which calls "reload" to the firewall.local script which at boot first runs "stop" and tries to unload the blacklist firewall rules before they have been created causing many errors to be generated in the logs before the rules are then created with "start".

Changing rules.pl to:

run("/etc/sysconfig/firewall.local start");

overcomes the boot problem but I can't then find out how my blacklist rules would then be deleted and potentially multiple copies of the blacklist rules being created.

Maybe I don't fully understand the way the firewall.local rules are controlled but to me there does seem to be an illogical way that the rules are created and deleted by firewall.local.

To me it looks like a bug but if I have understood the process incorrectly, I would appreciate an explanation of the process.

Regards

Rob