1 |
Michael Orlitzky <michael@××××××××.com> wrote: |
2 |
>>> [...] |
3 |
>>> If you have a million rules and you need to wipe/reload them all |
4 |
>>> frequently you're probably doing something wrong to begin with. |
5 |
>> |
6 |
>> I don't know how this is related with the discussion. |
7 |
>> The main advantage of using iptables-restore is avoidance of |
8 |
>> race conditions. A secondary advantage is a speed improvement; |
9 |
>> in my case, the machine boots about 2 seconds faster which can |
10 |
>> be a considerable advantage if you start virtual machines. |
11 |
>> |
12 |
> |
13 |
> I was just reiterating that there's not much benefit to save/restore if |
14 |
> you're doing things properly (pontification alert!). |
15 |
|
16 |
For a laptop of a scientist like me this is not true at all - it must |
17 |
often be connected in a different environment with different |
18 |
local nets etc. |
19 |
Also for other things (like portknocking using the recent module) |
20 |
you need rather complex rules which are better rewritten by a script, |
21 |
especially if the length of a portknocking sequence changes. |
22 |
Like passwords, these sequences should better not stay the same for |
23 |
too long... |
24 |
|
25 |
> Race conditions don't really seem that serious to me. |
26 |
|
27 |
Maybe, but I am not sure: |
28 |
There might be situations where it might be possible to keep |
29 |
a port open even when the rule is rewritten later on; then |
30 |
you need an open system only once... |
31 |
So, I could imagine that with some clever hacks an attacker |
32 |
might keep ports open and then do another attack later on. |
33 |
I am not an experienced hacker to know such attacks, but I |
34 |
know that races can be very subtle and provide attack vectors |
35 |
nobody has ever thought off. |
36 |
|
37 |
> All of security is a trade-off, and in my opinion, having |
38 |
> human-friendly, easily-readable rules (with error checking) |
39 |
|
40 |
It is easy to switch to one method for testing and then back |
41 |
when everything works: If you write $iptables ... |
42 |
throughout you just have to set |
43 |
iptables="iptables" |
44 |
or |
45 |
iptables="FvwmTables 4" |
46 |
respectively. In fact, the firewall-mv script does this |
47 |
(with a different mechanism) depending on a commandline switch. |
48 |
Moreover, I observed that the error checking works with |
49 |
iptables-restore as well as with iptables: |
50 |
It shows you almost the same errors, including a line number. |
51 |
So the only difference is that you have to count the lines |
52 |
in the testing output instead of directly seeing the command... |