Re: [PATCH 0/3] iptables-edit: tool to apply iptables rules to iptables-save'ed statefiles

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2007/11/05 01:13, Peter Warasin <peter@xxxxxxxxxx> wrote:
[...]
> Most firewall scripts (for example fwbuilder, shorewall, firehole,
> etc..) work always this way:
> - They flush and remove all iptables chains
> - Apply the iptables rules successively by:
>   o Compile a shell script with an iptables rule per line
>   o Calculating the iptables rules from a configuration file on the fly.

I'm taking the chance to move some attention to my "ferm" project
(which you did not mention): ferm uses iptables-restore to install the
new rules atomically.

 http://ferm.foo-projects.org/

ferm does not do that by default (yet), because iptables versions
prior to 1.3 were too bugged for that to work properly - you have to
run "ferm --fast" to take advantage of atomical iptables-restore.

[...]
> Another advantage could be something like this:
> 
> $ iptables-restore netfilter_edited.dump && sleep 10 && \
> iptables-restore netfilter.dump
> 
> which automatically would jump back to the old ruleset if the
> administrator did something wrong and locket out himself.

This is implemented in ferm as "interactive" mode (ferm
--interactive).

Max

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux