1 |
From a server perspective, I have never been very happy with the way Gentoo |
2 |
handles iptables. If you're not familiar with the Gentoo/iptables |
3 |
solution, it basically uses an 'iptables-save' script to save your current |
4 |
ruleset each time you /etc/init.d/iptables stop and/or reboot the box. The |
5 |
next time iptables is started, it uses that saved state. |
6 |
|
7 |
The reason I don't like this is because, often times when debugging, I'll |
8 |
add a temporary iptables rule to see if that fixes the problem at hand. |
9 |
Being human, I don't always remember to clean that rule out later. With |
10 |
the current solution, this means that rule will always be there and will |
11 |
survive reboots. |
12 |
|
13 |
Instead, I much prefer a solution where the box starts from a known set of |
14 |
rules that are hard-coded. You can still add ad-hoc iptables rules as |
15 |
needed, but when you reboot the box, you'll be back to a "known-good" |
16 |
state. |
17 |
|
18 |
So, Andrea Barisani was kind enough to help write a new set of init scripts |
19 |
and conf files that works this way. He and I have worked together to debug |
20 |
them (though he's spent more time debugging my mistakes :) and I feel |
21 |
pretty comfortable recommending them for production use. They're running |
22 |
on three of Gentoo's infrastructure boxes and will soon be running on all |
23 |
of them. |
24 |
|
25 |
Documentation: |
26 |
http://www.gentoo.org/proj/en/infrastructure/firewall/server-firewall.xml |
27 |
|
28 |
Scripts: |
29 |
http://dev.gentoo.org/~lcars/fw/ |
30 |
|
31 |
Note that those scripts do not make use of ulogd. If you're a ulogd user |
32 |
like I am, some simple modifications to the init.d script will allow you to |
33 |
use that instead of syslog. |
34 |
|
35 |
Comments, questions and feedback are welcome. I'd also like to thank |
36 |
Andrea for his hard work in writing these scripts. |
37 |
|
38 |
--kurt |