I love and have iptables-save. We have a bunch of rules governing our LAN to DMZ, DMZ to INET and LAN to INET. For simplicity we also have comments referring to what each rule is for. We have certain one of exceptions and a mess of complicated ptp holes. Iptables-save and restores failure is that it doesn't retain the additional comment information that we insert. Though it's trivial it would be nice. Gary Wayne Smith -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jose Maria Lopez Sent: Saturday, October 30, 2004 2:00 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: iptables script file El jue, 28 de 10 de 2004 a las 17:05, Jason Opperisano escribió: > so, the upshot is this--if your ruleset is sufficiently large to make > the inefficiency of scripted "iptables" commands a problem--you'll need > to use "iptables-restore" to load your rules. once you get the hang of > it, it really isn't that hard to just edit the "iptables-restore" file > format (even though this isn't "recommended"). Don't know why everybody talks about the problem of editing the iptables-save file. You don't need to do it. You just save the script that generates the iptables-save rules and you edit it when you need it, then you generate the rules and do a new iptables-save. No problem here. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÑA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
