Re: safely apply new rulesets: iptables-apply

[Maximilian Wilhelm <max@rfc2324.org>]

Am Wednesday, den  5 March hub martin f krafft folgendes in die Tasten:

Hi!

> You probably now the feeling, that cold and hot rush of adrenaline
> after you've typed "iptables-restore < new-ruleset" and didn't get to
> see the shell prompt again: you've just locked yourself out of
> a machine that’s potentially far away, and you feel like vandalism,
> or screaming on the top of your lungs, or whatever.

> I've had that feelings once too many and ended up writing
> iptables-apply[0] with a docbook manpage[1].

> 0. http://svn.madduck.net/pub/sbin/base/iptables-apply
> 1. http://svn.madduck.net/pub/sbin/base/iptables-apply.dbk

> iptables-apply is a simple shell script which applies the new
> ruleset and then prompts whether you like it. If you've locked
> yourself out, you cannot answer the prompt, and if you don't, the
> script rolls back the ruleset. Nice and simple.

Oh well, that's a different approach to my version :)
While hacking on a firewall management framework, I build such a
thing, tooo.

It works a bit different but does basicly the same thing.

My idea was to create a 'token' when the rules have been loaded, wait
for 
$TIME and if the token still exists (as in has no been deleted,
because
it was impossible) revert the ruleset to the old one.

Maybe this is also interesting for others:

 * http://files.rfc2324.org/projects/alff/agent/alff-cat has to be installed
   on the firewalls (config files in the same directory)
 * I push rules to my machines using Alff but basicly a
   cat $rules_file | ssh -l root -x $firewall "alff-cat -" should work.

My scripts still use shell scripts with iptables command in them, as I did
not finish the conversion to iptables-restore...

Just my 0,02 EUR

Greetz from frosty Zurich
Max
-- 
	Follow the white penguin.