Am Wednesday, den 5 March hub martin f krafft folgendes in die Tasten: Hi! > You probably now the feeling, that cold and hot rush of adrenaline > after you've typed "iptables-restore < new-ruleset" and didn't get to > see the shell prompt again: you've just locked yourself out of > a machine that’s potentially far away, and you feel like vandalism, > or screaming on the top of your lungs, or whatever. > I've had that feelings once too many and ended up writing > iptables-apply[0] with a docbook manpage[1]. > 0. http://svn.madduck.net/pub/sbin/base/iptables-apply > 1. http://svn.madduck.net/pub/sbin/base/iptables-apply.dbk > iptables-apply is a simple shell script which applies the new > ruleset and then prompts whether you like it. If you've locked > yourself out, you cannot answer the prompt, and if you don't, the > script rolls back the ruleset. Nice and simple. Oh well, that's a different approach to my version :) While hacking on a firewall management framework, I build such a thing, tooo. It works a bit different but does basicly the same thing. My idea was to create a 'token' when the rules have been loaded, wait for $TIME and if the token still exists (as in has no been deleted, because it was impossible) revert the ruleset to the old one. Maybe this is also interesting for others: * http://files.rfc2324.org/projects/alff/agent/alff-cat has to be installed on the firewalls (config files in the same directory) * I push rules to my machines using Alff but basicly a cat $rules_file | ssh -l root -x $firewall "alff-cat -" should work. My scripts still use shell scripts with iptables command in them, as I did not finish the conversion to iptables-restore... Just my 0,02 EUR Greetz from frosty Zurich Max -- Follow the white penguin. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
