Firewall bootscript

DJ Lucas dj at lucasit.com
Mon Mar 22 22:10:16 PST 2004


jeremy at jutley.org wrote:

>>>>for start:
>>>>   iptables-restore < /etc/firewall.conf
>>>>   echo "1" /proc/sys/net/ipv4/ip_forward # Turns on
>>>>forwarding/masq'ing
>>>>
>>>>for stop:
>>>>   cp -f /etc/firewall.conf /etc/firewall.conf.bak # Makes a backup
>>>>   iptables-save > /etc/firewall.conf
>>
>>

>>
>>I like Jeremy's better than the kludge I threw togheter Satruday.  I
>>have to agree with Ian and Kevin though on the stop.  Definately do not
>>save the current setup on stop.  This is jsut bad ju-ju waiting.  Even
>>with a backup, the backup only lasts until the next reboot, 
> 
> 
> There's a reason I do a save as I do - makes it a lot easier to add
> firewall rules on the fly - instead of having to add the rule, make sure
> it works, then add the command into your firewall shell script, it simply
> saves the current state of the firewall to load up at next reboot. 
> Personally, I can think of very few times when this would *NOT* be the
> desired way of operation - you usually want your firewall in the exact
> same state after reboot as it was before reboot.

Most times I think it wouldn't matter either way.  You add a rule, then 
do a save (use the init script).  Guess I'm a pessimist, but I'd rather 
have the same state that I know has been working for months on end. 
Keep in mind, however, I am not a current user. I'm just trying to 
provide my view of a possible pitfall before a commitment is made to a 
default.  I've expressed that view, now I bow out to Jeremy and others 
who know a lot more about it than I.

> 
> Also remember that the format that iptables-restore uses would not exactly
> be the easiest to edit by hand, so use of my script would require manually
> running iptables-save > /etc/firewall.conf.
> 

Or in the proposed script from before: /etc/rc.d/init.d/firewall save.

-- DJ




More information about the blfs-dev mailing list