| 1 |
Michael Orlitzky <michael@××××××××.com> wrote: |
| 2 |
>>> [...] |
| 3 |
>>> If you have a million rules and you need to wipe/reload them all |
| 4 |
>>> frequently you're probably doing something wrong to begin with. |
| 5 |
>> |
| 6 |
>> I don't know how this is related with the discussion. |
| 7 |
>> The main advantage of using iptables-restore is avoidance of |
| 8 |
>> race conditions. A secondary advantage is a speed improvement; |
| 9 |
>> in my case, the machine boots about 2 seconds faster which can |
| 10 |
>> be a considerable advantage if you start virtual machines. |
| 11 |
>> |
| 12 |
> |
| 13 |
> I was just reiterating that there's not much benefit to save/restore if |
| 14 |
> you're doing things properly (pontification alert!). |
| 15 |
|
| 16 |
For a laptop of a scientist like me this is not true at all - it must |
| 17 |
often be connected in a different environment with different |
| 18 |
local nets etc. |
| 19 |
Also for other things (like portknocking using the recent module) |
| 20 |
you need rather complex rules which are better rewritten by a script, |
| 21 |
especially if the length of a portknocking sequence changes. |
| 22 |
Like passwords, these sequences should better not stay the same for |
| 23 |
too long... |
| 24 |
|
| 25 |
> Race conditions don't really seem that serious to me. |
| 26 |
|
| 27 |
Maybe, but I am not sure: |
| 28 |
There might be situations where it might be possible to keep |
| 29 |
a port open even when the rule is rewritten later on; then |
| 30 |
you need an open system only once... |
| 31 |
So, I could imagine that with some clever hacks an attacker |
| 32 |
might keep ports open and then do another attack later on. |
| 33 |
I am not an experienced hacker to know such attacks, but I |
| 34 |
know that races can be very subtle and provide attack vectors |
| 35 |
nobody has ever thought off. |
| 36 |
|
| 37 |
> All of security is a trade-off, and in my opinion, having |
| 38 |
> human-friendly, easily-readable rules (with error checking) |
| 39 |
|
| 40 |
It is easy to switch to one method for testing and then back |
| 41 |
when everything works: If you write $iptables ... |
| 42 |
throughout you just have to set |
| 43 |
iptables="iptables" |
| 44 |
or |
| 45 |
iptables="FvwmTables 4" |
| 46 |
respectively. In fact, the firewall-mv script does this |
| 47 |
(with a different mechanism) depending on a commandline switch. |
| 48 |
Moreover, I observed that the error checking works with |
| 49 |
iptables-restore as well as with iptables: |
| 50 |
It shows you almost the same errors, including a line number. |
| 51 |
So the only difference is that you have to count the lines |
| 52 |
in the testing output instead of directly seeing the command... |
Archives