dj at lucasit.com
Mon Mar 22 22:10:16 PST 2004
jeremy at jutley.org wrote:
>>>> iptables-restore < /etc/firewall.conf
>>>> echo "1" /proc/sys/net/ipv4/ip_forward # Turns on
>>>> cp -f /etc/firewall.conf /etc/firewall.conf.bak # Makes a backup
>>>> iptables-save > /etc/firewall.conf
>>I like Jeremy's better than the kludge I threw togheter Satruday. I
>>have to agree with Ian and Kevin though on the stop. Definately do not
>>save the current setup on stop. This is jsut bad ju-ju waiting. Even
>>with a backup, the backup only lasts until the next reboot,
> There's a reason I do a save as I do - makes it a lot easier to add
> firewall rules on the fly - instead of having to add the rule, make sure
> it works, then add the command into your firewall shell script, it simply
> saves the current state of the firewall to load up at next reboot.
> Personally, I can think of very few times when this would *NOT* be the
> desired way of operation - you usually want your firewall in the exact
> same state after reboot as it was before reboot.
Most times I think it wouldn't matter either way. You add a rule, then
do a save (use the init script). Guess I'm a pessimist, but I'd rather
have the same state that I know has been working for months on end.
Keep in mind, however, I am not a current user. I'm just trying to
provide my view of a possible pitfall before a commitment is made to a
default. I've expressed that view, now I bow out to Jeremy and others
who know a lot more about it than I.
> Also remember that the format that iptables-restore uses would not exactly
> be the easiest to edit by hand, so use of my script would require manually
> running iptables-save > /etc/firewall.conf.
Or in the proposed script from before: /etc/rc.d/init.d/firewall save.
More information about the blfs-dev