| 1 |
On 14/10/13 04:07, Martin Vaeth wrote: |
| 2 |
> Michael Orlitzky <michael@××××××××.com> wrote: |
| 3 |
>>>> [...] |
| 4 |
>>>> If you have a million rules and you need to wipe/reload them all |
| 5 |
>>>> frequently you're probably doing something wrong to begin with. |
| 6 |
>>> |
| 7 |
>>> I don't know how this is related with the discussion. |
| 8 |
>>> The main advantage of using iptables-restore is avoidance of |
| 9 |
>>> race conditions. A secondary advantage is a speed improvement; |
| 10 |
>>> in my case, the machine boots about 2 seconds faster which can |
| 11 |
>>> be a considerable advantage if you start virtual machines. |
| 12 |
>>> |
| 13 |
>> |
| 14 |
>> I was just reiterating that there's not much benefit to save/restore if |
| 15 |
>> you're doing things properly (pontification alert!). |
| 16 |
> |
| 17 |
> For a laptop of a scientist like me this is not true at all - it must |
| 18 |
> often be connected in a different environment with different |
| 19 |
> local nets etc. |
| 20 |
> Also for other things (like portknocking using the recent module) |
| 21 |
> you need rather complex rules which are better rewritten by a script, |
| 22 |
> especially if the length of a portknocking sequence changes. |
| 23 |
> Like passwords, these sequences should better not stay the same for |
| 24 |
> too long... |
| 25 |
> |
| 26 |
|
| 27 |
... |
| 28 |
|
| 29 |
If you are going to go to this bother ... why not use shorewall, create |
| 30 |
a custom configuration for each site (including any changes to services) |
| 31 |
and and have your script just copy them in and restart the various |
| 32 |
services including shorewall? I have a number of networks from hotspots |
| 33 |
to places where I need combinations of vpns, web servers and asterisk |
| 34 |
available for demonstrations in lecture theatres through to travelling |
| 35 |
and using hotel networks. |
| 36 |
|
| 37 |
The iptables save feature gets a bit difficult to use with complex |
| 38 |
setups and if you are doing something dynamic with the rules (fail2ban |
| 39 |
for instance) it can save inappropriate rules which need manual culling. |
| 40 |
|
| 41 |
I use a simple script with autosetup using network-manager (yuk, |
| 42 |
horrible thing!) to detect known gateways and trigger the script with |
| 43 |
that argument for either wifi or cable as appropriate (or setup for |
| 44 |
anonymous hotspot for unknown wifi, basic dhcp if unknown cable) - this |
| 45 |
is on a macbook air if that matters. |
| 46 |
|
| 47 |
BillK |
Archives