On 6/28/21 4:47 AM, Alessandro Vesely wrote:
One "best practice" that I'd object to is blindly restoring whatever was saved on shutdown. How can one control that? Booting with some clean, well-defined data looks safer.
In my home-brew iptables(8) scripts written as a shell script quite a few years ago, I use shell functions to actually build the commands. The specifications are coded in shell arrays, one for each type "pinhole". This resulted in a mostly-closed implementation.
Originally, the script was invoked at boot time via rc.local entry. When I would make a change, I would then manually run the script as root. Manual changes are few and far between, usually because I've taken on a new task that requires a few more ports be opened.
With my move to Ubuntu, plus replacing my LAN-to-public interface with a Unity appliance, I've not taken the time to port the script to Python, nor to build a systemd configuration for it. Indeed, with Ubuntu I'm using UFW, adding reverse path filtering plus rate limiting on pings.
