1 |
On Fri, 04 Oct 2013 17:58:14 -0400 |
2 |
Michael Orlitzky <michael@××××××××.com> wrote: |
3 |
|
4 |
> On 10/03/2013 04:28 PM, Kerin Millar wrote: |
5 |
> > |
6 |
> > The iptables runscript is ideal for persisting the rules. However, |
7 |
> > during the initial construction of a non-trivial ruleset, I prefer |
8 |
> > to write a script that adds the rules. An elegant way of doing this |
9 |
> > is to use iptables-restore with a heredoc. The method - and its |
10 |
> > advantages - are described in this document (section 3): |
11 |
> > |
12 |
> > http://inai.de/documents/Perfect_Ruleset.pdf |
13 |
> > |
14 |
> |
15 |
> This advice is dubious in my opinion. The `iptables` command line is |
16 |
> the published interface to iptables. The iptables-restore syntax is an |
17 |
> implementation detail, subject to change at any time. |
18 |
> |
19 |
> Here are his arguments: |
20 |
> |
21 |
> 1. Calling iptables repeatedly is slow. |
22 |
> |
23 |
> Who cares? How often do you invoke the script? Once or twice a year |
24 |
> when you change it. |
25 |
> |
26 |
> 2. There is an opportunity for someone to bypass the rules between |
27 |
> dropping/recreating them. |
28 |
> |
29 |
> Again, you run the script once or twice a year. Turn off the interface |
30 |
> beforehand if a few microseconds per year is too long to run without a |
31 |
> firewall. |
32 |
> |
33 |
> |
34 |
> And my counterarguments: |
35 |
> |
36 |
> 1. The iptables-restore syntax is uglier and harder to read. |
37 |
> |
38 |
> 2. You get better error reporting calling iptables repeatedly. |
39 |
> |
40 |
> 3. The published interface will never change; iptables-restore reads |
41 |
> an input language whose specification is "whatever iptables-save |
42 |
> outputs." |
43 |
> |
44 |
> 4. A bash script is far more standard and less confusing to your |
45 |
> coworkers. |
46 |
> |
47 |
> 5. You can't script iptables-restore! What if you want to call sed, |
48 |
> cut, or grep on something and pass that to iptables? You can write a |
49 |
> bash script that writes an iptables-restore script to accomplish the |
50 |
> same thing, but how much complexity are you willing to add for next |
51 |
> to no benefit? |
52 |
> |
53 |
> |
54 |
|
55 |
Hi, |
56 |
Many people use netfilter for busy firewalls not just for set and |
57 |
forget firewalls. Having hundreds or thousands of rules and IPs makes |
58 |
managing netfilter with iptables problematic. That is when it's |
59 |
advisable to change the filter in one swoop with restore or ipset. |
60 |
Bottom line is your individual use case is just that, individual. |