On Sat 26/Jun/2021 12:43:45 +0200 Reindl Harald wrote:
/usr/sbin/ipset -file /etc/sysconfig/ipset restore
/usr/sbin/iptables-nft-restore /etc/sysconfig/iptables
/usr/sbin/sysctl -q --load=/etc/sysctl*.conf
that way first all rules are loaded atomic and *then* "ip_forward" and
friends are set to avoid a leak at boot
it may be good for you pro administrators with complex configurations...I
have all in one file and do not need to bother about 1ms lost during reload
nor seeking 10 different config files for simple tasks and wasting hours by
config. I like easy life.
mixing things together which don't belong together like iptables and sysctl is
the opposite of simple as well as running a ton of commands at boot where it
should be a oneliner is also the opposite
I'm with David here. Besides sysctl and ipset, there are lots of ip commands,
modprobe's, vconfig, and a couple of home-brewed daemons (ipqbdb). A soundly
commented script captures the logic of the network and can be maintained with
more coherence than raw commands accumulated along the way. The only drawback
is that most changes, for example punching a hole in the firewall, have to be
applied twice, in the boot script as well as directly in a terminal.
Best
Ale
