On 2007/11/05 01:13, Peter Warasin <peter@xxxxxxxxxx> wrote: [...] > Most firewall scripts (for example fwbuilder, shorewall, firehole, > etc..) work always this way: > - They flush and remove all iptables chains > - Apply the iptables rules successively by: > o Compile a shell script with an iptables rule per line > o Calculating the iptables rules from a configuration file on the fly. I'm taking the chance to move some attention to my "ferm" project (which you did not mention): ferm uses iptables-restore to install the new rules atomically. http://ferm.foo-projects.org/ ferm does not do that by default (yet), because iptables versions prior to 1.3 were too bugged for that to work properly - you have to run "ferm --fast" to take advantage of atomical iptables-restore. [...] > Another advantage could be something like this: > > $ iptables-restore netfilter_edited.dump && sleep 10 && \ > iptables-restore netfilter.dump > > which automatically would jump back to the old ruleset if the > administrator did something wrong and locket out himself. This is implemented in ferm as "interactive" mode (ferm --interactive). Max - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html