1 |
On 14/10/13 04:07, Martin Vaeth wrote: |
2 |
> Michael Orlitzky <michael@××××××××.com> wrote: |
3 |
>>>> [...] |
4 |
>>>> If you have a million rules and you need to wipe/reload them all |
5 |
>>>> frequently you're probably doing something wrong to begin with. |
6 |
>>> |
7 |
>>> I don't know how this is related with the discussion. |
8 |
>>> The main advantage of using iptables-restore is avoidance of |
9 |
>>> race conditions. A secondary advantage is a speed improvement; |
10 |
>>> in my case, the machine boots about 2 seconds faster which can |
11 |
>>> be a considerable advantage if you start virtual machines. |
12 |
>>> |
13 |
>> |
14 |
>> I was just reiterating that there's not much benefit to save/restore if |
15 |
>> you're doing things properly (pontification alert!). |
16 |
> |
17 |
> For a laptop of a scientist like me this is not true at all - it must |
18 |
> often be connected in a different environment with different |
19 |
> local nets etc. |
20 |
> Also for other things (like portknocking using the recent module) |
21 |
> you need rather complex rules which are better rewritten by a script, |
22 |
> especially if the length of a portknocking sequence changes. |
23 |
> Like passwords, these sequences should better not stay the same for |
24 |
> too long... |
25 |
> |
26 |
|
27 |
... |
28 |
|
29 |
If you are going to go to this bother ... why not use shorewall, create |
30 |
a custom configuration for each site (including any changes to services) |
31 |
and and have your script just copy them in and restart the various |
32 |
services including shorewall? I have a number of networks from hotspots |
33 |
to places where I need combinations of vpns, web servers and asterisk |
34 |
available for demonstrations in lecture theatres through to travelling |
35 |
and using hotel networks. |
36 |
|
37 |
The iptables save feature gets a bit difficult to use with complex |
38 |
setups and if you are doing something dynamic with the rules (fail2ban |
39 |
for instance) it can save inappropriate rules which need manual culling. |
40 |
|
41 |
I use a simple script with autosetup using network-manager (yuk, |
42 |
horrible thing!) to detect known gateways and trigger the script with |
43 |
that argument for either wifi or cable as appropriate (or setup for |
44 |
anonymous hotspot for unknown wifi, basic dhcp if unknown cable) - this |
45 |
is on a macbook air if that matters. |
46 |
|
47 |
BillK |