Debian package: S40uruk could better be S41uruk: explicitly start after
networking (which is S40networking).

We setup firewall rules only _after_ the network interfaces are configured.
This is dumb: we are vulnerable for bugs in the kernel's IP stack.  One
solution for this: Create an /etc/init.d/uruk-pre script, which is run as early
as possible, and _before_ network interfaces are configured.  It should disable
all networktraffic (except for traffic on loopbackinterface).  Only later,
networkinterfaces are configured, /etc/init.d/uruk is run and networkservices
are started.  After that, services are started (so even with the current setup
we _do_ protect our services).

Fix some zoem issues: when running "make distcheck", we get warnings:

 uruk-rc.5:82: warning [p 1, 6.3i]: can't break line
 uruk-rc.5:82: warning [p 1, 6.3i]: cannot adjust line
 uruk.8:125: warning [p 1, 9.6i]: can't break line
 uruk.8:141: warning [p 2, 1.5i]: cannot adjust line

Create "upload" target in /Makefile.am

Fix bugs in uruk script: (force-)reload should do something sane when
uruk not running.

Check documentation: uruk-rc manpage needs more stuff.

Perhaps we need an uruk-init manpage, for the init script.

Write a wrapper for OpenBSD's pf and FreeBSD's ipfilter, so that these tools
can use the same rc file format.

Reimplement uruk-save: make it more robust.  See
http://www.faqs.org/docs/iptables/iptables-save.html for example of file
format.  Use logic from iptables-save.c.

Think about alternative for uruk-save: create a chain, and enable it once it's
fully build by doing just one iptables call.  This would allow truly atomical
loading of new rulesets.

Make uruk init-script LSB compliant.
http://refspecs.freestandards.org/LSB_3.0.0/LSB-generic/LSB-generic/initscrcomconv.html
Supply arguments like "status" in init script, see
http://refspecs.freestandards.org/LSB_3.0.0/LSB-generic/LSB-generic/iniscrptact.html
Use example from /u/s/d/lsb-core/examples/init-skeleton.gz .

Is it sane to allow all traffic in default inactive rule?

Check save_counters support in init script.  It's likely broken.

Date: Wed, 9 Feb 2005 15:09:16 +0100
Message-ID: <20050209140916.GZ1487@trogdor.uvt.nl>
Herken broadcasts (misschien aan destination MAC-adres?) en log ze niet.
.
alternative implementation: near code-snippet:
 # supporting this for multiple-ips would need multiple chains
 # or, perhaps, some iptables extension.
This log-spamming happens only in multiple-ip-per-nic mode.
Do DROP stuff just before log, would that work?  (No, we really can't do
something like "--dest !(ip1 or ip2 or ip3)".)
.
yet to implement: loglevel "high".  Document multiple ip per nic logspamming bug.

Finish IPv6 support.  Change to enabled-by-default.  Document it.

Phase out support for services_eth0_udp, but enforce ipS_eth0; warn for
obsolete syntax

( GNU Arch peeksheet:

joostvb@nagy:~/arch/uruk/uruk/script% tla commit
joostvb@nagy:~/arch/uruk/uruk/script% tla archive-mirror joostvb-arch@mdcc.cx--2004-uruk

)

# this file maintained using arch at http://arch.gna.org/uruk/
