bdubbs at swbell.net
Mon Mar 22 22:01:44 PST 2004
jeremy at jutley.org wrote:
>There's a reason I do a save as I do - makes it a lot easier to add
>firewall rules on the fly - instead of having to add the rule, make sure
>it works, then add the command into your firewall shell script, it simply
>saves the current state of the firewall to load up at next reboot.
>Personally, I can think of very few times when this would *NOT* be the
>desired way of operation - you usually want your firewall in the exact
>same state after reboot as it was before reboot.
Different approaches are, well, different. I recommend always running
an iptables bash script--never hack something by hand. If you want to
make a change, edit the script, run, test, repeat as necessary. The
startup script just runs the script. No shutdown required.
Making changes on the fly is error prone and, IMO dangerous. In a
script, you can easily document what you are doing. If you don't do
that, you end up scratching your head and saying "what was that for?" A
sample is attached.
>Also remember that the format that iptables-restore uses would not exactly
>be the easiest to edit by hand, so use of my script would require manually
>running iptables-save > /etc/firewall.conf.
I never use iptables-save/restore for the above reasons. The rules need
to be documented.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the blfs-dev