Re: Fw: iptables-save/restore question

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Anders Fugmann <afu@fugmann.dhs.org>
To: Bo Jacobsen <subs@systemhouse.dk>
Cc: netfilter@lists.netfilter.org
Subject: Re: Fw: iptables-save/restore question
Date: Tue, 17 Sep 2002 14:45:42 +0200	[thread overview]
Message-ID: <3D8723F6.50904@fugmann.dhs.org> (raw)
In-Reply-To: 006b01c25e32$5ede5500$6307a8c0@net

Bo Jacobsen wrote:
> I run some iptables commands then run iptables -L -n > testfile1 to save the setup.
> Then I run iptables-restore testfile1 and than run iptables-save again:
> iptables -L -n > testfile2
Why dont you use 'iptables-save' to save the rules?

> The reason we want to make this test is that we need to be sure that the rules generated directly by
> the iptables commands, are EXATLY the same as what the iptables-save/restore command pair does.
Do you distrust the iptables-restore command. If you do, then insert 
each rule by hand (or through a sctipt.).  You cannot validate rules, 
the way you described above, even if the saved files were equal.

Example: Assume a bug is present resulting in iptables -L -n lists all 
ip-addresses as 0.0.0.0/0. When you use iptables-restore, then the rules 
has 0.0.0.0/0 instead of the original ipnumbers.  Even if 
iptables-save/iptables-restore produces the same results, you have not 
proven that iptables-save works, because the original rules did have 
other ipaddresses than 0.0.0.0/0.

> 
> One thing is to test that the iptable commands works, another is to blindly trust that our 300 iptable rules
> are correctly saved and restored by iptables-save/restore (a firewall with 4 different local lans).
What are you afraid of. iptables-restore not able to process 300 lines? 
You you trust it to read even 1 rule?

If you cannot trust iptables-restore then do not use it. If you trust 
it, then trust it enough the assume that iptables-restore would yeild an 
exit value <>0, if any error occured while setting the rules.

Regards
Anders Fugmann


-- 
Neo: 'Can you fly that thing?'
Trinity: 'Not yet'.
$ apt-get install pilot-prg-v212helicopter.

next prev parent reply	other threads:[~2002-09-17 12:45 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-09-17 10:09 Fw: iptables-save/restore question Bo Jacobsen
2002-09-17 12:45 ` Anders Fugmann [this message]
2002-09-18 13:12   ` Bo Jacobsen
2002-09-17 13:39 ` Axel Heinrici

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3D8723F6.50904@fugmann.dhs.org \
    --to=afu@fugmann.dhs.org \
    --cc=netfilter@lists.netfilter.org \
    --cc=subs@systemhouse.dk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.