1 |
Kurt Lieber wrote: |
2 |
|
3 |
>From a server perspective, I have never been very happy with the way Gentoo |
4 |
>handles iptables. If you're not familiar with the Gentoo/iptables |
5 |
>solution, it basically uses an 'iptables-save' script to save your current |
6 |
>ruleset each time you /etc/init.d/iptables stop and/or reboot the box. The |
7 |
>next time iptables is started, it uses that saved state. |
8 |
> |
9 |
> |
10 |
I wasn't aware of this... I hand-edit my /var/lib/iptables/rules-save |
11 |
file, and it's not touched when I reboot or /etc/init.d/iptables stop... |
12 |
Do you mean /etc/init.d/iptables save ? My comments don't get wiped out, |
13 |
so the default-ish setup isn't saving my environment automatically... |
14 |
|
15 |
Ken |
16 |
|
17 |
>The reason I don't like this is because, often times when debugging, I'll |
18 |
>add a temporary iptables rule to see if that fixes the problem at hand. |
19 |
>Being human, I don't always remember to clean that rule out later. With |
20 |
>the current solution, this means that rule will always be there and will |
21 |
>survive reboots. |
22 |
> |
23 |
>Instead, I much prefer a solution where the box starts from a known set of |
24 |
>rules that are hard-coded. You can still add ad-hoc iptables rules as |
25 |
>needed, but when you reboot the box, you'll be back to a "known-good" |
26 |
>state. |
27 |
> |
28 |
> |
29 |
That's how my setup works. |
30 |
|
31 |
>So, Andrea Barisani was kind enough to help write a new set of init scripts |
32 |
>and conf files that works this way. He and I have worked together to debug |
33 |
>them (though he's spent more time debugging my mistakes :) and I feel |
34 |
>pretty comfortable recommending them for production use. They're running |
35 |
>on three of Gentoo's infrastructure boxes and will soon be running on all |
36 |
>of them. |
37 |
> |
38 |
>Documentation: |
39 |
>http://www.gentoo.org/proj/en/infrastructure/firewall/server-firewall.xml |
40 |
> |
41 |
>Scripts: |
42 |
>http://dev.gentoo.org/~lcars/fw/ |
43 |
> |
44 |
>Note that those scripts do not make use of ulogd. If you're a ulogd user |
45 |
>like I am, some simple modifications to the init.d script will allow you to |
46 |
>use that instead of syslog. |
47 |
> |
48 |
>Comments, questions and feedback are welcome. I'd also like to thank |
49 |
>Andrea for his hard work in writing these scripts. |
50 |
> |
51 |
>--kurt |
52 |
> |
53 |
> |