On Mon 28/Jun/2021 14:03:30 +0200 Reindl Harald wrote:
Am 28.06.21 um 13:47 schrieb Alessandro Vesely:
On Mon 28/Jun/2021 12:17:11 +0200 Reindl Harald wrote:
Am 28.06.21 um 11:23 schrieb Alessandro Vesely:
do what you want but stop talking nonsense when it comes to best practice
One "best practice" that I'd object to is blindly restoring whatever was
saved on shutdown. How can one control that? Booting with some clean,
well-defined data looks safer
WTF: there is nothing magically or blindly saved and changed at shutdown, it's
the whole state as it was, the outcome from your script
do you guys not realize that your shellscripts are fine as mine are but at the
end the iptables ruleset has a defined state which want you have restored 1:1
at boot
If the defined state is the result of a shell script, re-running the same shell
script should result in the same state. Restoring from the last-saved state
may be faster/ cooler, but roughly equivalent.
However, what if, one day, something wrong happens and you try to quickly fix
the rules. At some point you realize the rules were fine, the problem was
somewhere else and now you need to reboot. Hm... how do you return to the
previous state? Maybe the shell script that originally gave place to the
target state run in 2008 for the last time. The last iptables-save output
looks older than some changes applied a couple of weeks ago —there's been no
reboot in the meantime. What do you do in that case?
this whole discusssion is embarrassing and especially when the target audience
in this case is a noob-user it's idiotic not follow best practices
nobody gives a shit how you create the ruleset and nobody right in his mind
would touch the save-file by anything else but "iptables-save --file path" as
nobody right in his mind would load it by anything else than
"iptables-nft-restore path"
That way you exclude comments. Don't you think it's relevant to annotate why
you issued a given rule? What if someone else will have to maintain the
ruleset? Or even yourself, if you can happen to forget what daemon is expected
to filter packets in a given nf queue, or what reason did you have in mind when
you defined a given chain rather than jumping directly to the next target?
Where do you write down such maintenance hints?
please stop spreading bullshit - we have enough idiots out there blindly follow
whatever they read wherever on the internet without the slightest clue what
they are doing
YOU can do what you want on YOUR machine but best practices are there to avoid
endless threads over and over again when someone has a problem and nobody knows
about his setup and your "i do everything like i want" is off-topic
I think that any "idiots out there" who might be following this thread can
judge by themselves. However, if you think this is bullshit, you should stop
amplifying it, because probably that's what you're doing. There is no well
established /best practice/, because iptables rules are managed in so many
different ways. Don't think that calling my arguments *bullshit* earns more
points to yours: You never know what's on an idiot's mind.
Best
Ale
--
