Firewall bootscript

Bruce Dubbs bdubbs at swbell.net
Mon Mar 22 22:01:44 PST 2004


jeremy at jutley.org wrote:

>There's a reason I do a save as I do - makes it a lot easier to add
>firewall rules on the fly - instead of having to add the rule, make sure
>it works, then add the command into your firewall shell script, it simply
>saves the current state of the firewall to load up at next reboot. 
>Personally, I can think of very few times when this would *NOT* be the
>desired way of operation - you usually want your firewall in the exact
>same state after reboot as it was before reboot.
>  
>

Different approaches are, well, different.  I recommend always running 
an iptables bash script--never hack something by hand.  If you want to 
make a change, edit the script, run, test, repeat as necessary.  The 
startup script just runs the script.  No shutdown required.

Making changes on the fly is error prone and, IMO dangerous.  In a 
script, you can easily document what you are doing.  If you don't do 
that, you end up scratching your head and saying "what was that for?"  A 
sample is attached.

>Also remember that the format that iptables-restore uses would not exactly
>be the easiest to edit by hand, so use of my script would require manually
>running iptables-save > /etc/firewall.conf.
>

I never use iptables-save/restore for the above reasons.  The rules need 
to be documented.

  -- Bruce


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: rc.iptables
URL: <http://lists.linuxfromscratch.org/pipermail/blfs-dev/attachments/20040323/768fc8b4/attachment.ksh>


More information about the blfs-dev mailing list