On 29/09/2011 09:29, Pandu Poluan wrote: > That's why I now no longer write iptables commands directly on the > shell. I keep my firewall rules in a file /etc/opt/firewall, and if I > need to add new rules, I just do: `vi /etc/opt/firewall && > iptables-restore < /etc/opt/firewall` > > (Of course, to seed the file I'd do `iptables-save > /etc/opt/firewall` ) > > This has the added benefit of allowing me to document all firewall > changes by doing `hg commit` followed by `hg push` to a local > Mercurial repository. > > (The reason why I put the rules in /etc/opt instead of /etc is so that > I don't have to create an .hgignore file) > Can I also leave a plug for shorewall for similar reasons. It is a fairly thin wrapper over iptables (etc), but it allows you to think at a slightly higher level and wraps things such as setting/restoring fwmarks and routing, breaks them out from the general access rules. I find it picks a very nice level between firewall guis and raw editing of iptables commands. Give it a try. Also it's text file based so it's very easy to track via some source code control system Cheers Ed W -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
