Michael Scherer <misc@xxxxxxxx> writes:
> - a script with lots of iptables calls ( quite awful, slow and
> unauditable in practice as Reindl explained in another mail, and as I
> too often seen at customers deployment )
> - a script that run 1 command, iptables-restore < file. Which is
> equally as awful and unauditable, but faster.
Or (because you mention some flaws of plain 'iptables'),
- create input for iptables-restore; this is fast, maintainable and
(depending on your environment) auditable. E.g.:
| [root@siggi ~]# time service firewall restart
| Logging current iptables counters [ OK ]
| firewall beenden: [ OK ]
| firewall starten: [ OK ]
| Recording fallback firewall-ipv4 configuration [ OK ]
|
| real 0m2.070s
| user 0m1.453s
| sys 0m0.258s
(the critical phase of flushing + creating rules takes <1 second)
| [root@siggi ~]# iptables -L -n | wc -l
| 1963
Parts of these rules (in total, there are >2000 lines of (commented!)
shell code) are shown in
http://ensc.de/fedora/gw.rules
Workstations and servers get a more simple version of this like
http://ensc.de/fedora/firewall-ipv4.rules
'./firewall.simple' is deployed company-wide but contains too much
internal information to publish it; sorry...
Mentioned functions are defined in
http://ensc.de/fedora/functions.firewall
and there is not needed more than bash and iptables tools.
I do not have problems with firewalld being installed by default. But it
must never be mandatory (e.g. not pulled in by anaconda implicitly) and
it must be easy to disable it when it was installed for other purposes
(e.g. to have its man-pages on the system).
Enrico
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
