| 1 |
On Fri, 04 Oct 2013 17:58:14 -0400 |
| 2 |
Michael Orlitzky <michael@××××××××.com> wrote: |
| 3 |
|
| 4 |
> On 10/03/2013 04:28 PM, Kerin Millar wrote: |
| 5 |
> > |
| 6 |
> > The iptables runscript is ideal for persisting the rules. However, |
| 7 |
> > during the initial construction of a non-trivial ruleset, I prefer |
| 8 |
> > to write a script that adds the rules. An elegant way of doing this |
| 9 |
> > is to use iptables-restore with a heredoc. The method - and its |
| 10 |
> > advantages - are described in this document (section 3): |
| 11 |
> > |
| 12 |
> > http://inai.de/documents/Perfect_Ruleset.pdf |
| 13 |
> > |
| 14 |
> |
| 15 |
> This advice is dubious in my opinion. The `iptables` command line is |
| 16 |
> the published interface to iptables. The iptables-restore syntax is an |
| 17 |
> implementation detail, subject to change at any time. |
| 18 |
> |
| 19 |
> Here are his arguments: |
| 20 |
> |
| 21 |
> 1. Calling iptables repeatedly is slow. |
| 22 |
> |
| 23 |
> Who cares? How often do you invoke the script? Once or twice a year |
| 24 |
> when you change it. |
| 25 |
> |
| 26 |
> 2. There is an opportunity for someone to bypass the rules between |
| 27 |
> dropping/recreating them. |
| 28 |
> |
| 29 |
> Again, you run the script once or twice a year. Turn off the interface |
| 30 |
> beforehand if a few microseconds per year is too long to run without a |
| 31 |
> firewall. |
| 32 |
> |
| 33 |
> |
| 34 |
> And my counterarguments: |
| 35 |
> |
| 36 |
> 1. The iptables-restore syntax is uglier and harder to read. |
| 37 |
> |
| 38 |
> 2. You get better error reporting calling iptables repeatedly. |
| 39 |
> |
| 40 |
> 3. The published interface will never change; iptables-restore reads |
| 41 |
> an input language whose specification is "whatever iptables-save |
| 42 |
> outputs." |
| 43 |
> |
| 44 |
> 4. A bash script is far more standard and less confusing to your |
| 45 |
> coworkers. |
| 46 |
> |
| 47 |
> 5. You can't script iptables-restore! What if you want to call sed, |
| 48 |
> cut, or grep on something and pass that to iptables? You can write a |
| 49 |
> bash script that writes an iptables-restore script to accomplish the |
| 50 |
> same thing, but how much complexity are you willing to add for next |
| 51 |
> to no benefit? |
| 52 |
> |
| 53 |
> |
| 54 |
|
| 55 |
Hi, |
| 56 |
Many people use netfilter for busy firewalls not just for set and |
| 57 |
forget firewalls. Having hundreds or thousands of rules and IPs makes |
| 58 |
managing netfilter with iptables problematic. That is when it's |
| 59 |
advisable to change the filter in one swoop with restore or ipset. |
| 60 |
Bottom line is your individual use case is just that, individual. |
Archives