Preferred way of preserving firewall rules on system reboots?

Preferred way of preserving firewall rules on system reboots?

[Aleksandar Milivojevic]

What is your preferred way of preserving firewall configuration on 
firewall reboots?  I know this is probably distribution specific.

On Red Hat, you can either edit /etc/init.d/iptables or 
/etc/sysconfig/iptables.  The former can be overwritten when upgrading 
iptables package, the later can be overwritten with some temporary 
configuration on system reboots (depending on configuraiton) or when 
somebody calls init.d script with "save" argument by mistake (making it 
"machine generated file", while it should be "administrator generated 
configuration file").

So, the question is, how do you usually do it?

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: Preferred way of preserving firewall rules on system reboots?

[Cedric Blancher]

Le jeu 13/05/2004 à 16:48, Aleksandar Milivojevic a écrit :
> What is your preferred way of preserving firewall configuration on 
> firewall reboots?  I know this is probably distribution specific.

Every time I need to save the ruleset :

	iptables-save > /etc/firewall

Then, in a startup script (/etc/init.d/networking on my Debian), I add :

	iptables-restore < /etc/firewall


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: Preferred way of preserving firewall rules on system reboots?

[Alistair Tonner]

On May 13, 2004 10:58 am, Cedric Blancher wrote:
> Le jeu 13/05/2004 à 16:48, Aleksandar Milivojevic a écrit :
> > What is your preferred way of preserving firewall configuration on
> > firewall reboots?  I know this is probably distribution specific.
>
> Every time I need to save the ruleset :
>
> 	iptables-save > /etc/firewall
>
> Then, in a startup script (/etc/init.d/networking on my Debian), I add :
>
> 	iptables-restore < /etc/firewall

	I've modified my scripts, in the 'shutdown' routines it rotates the last 7 
saved files and then saves the current with iptables-save, 
	startup calls the most recent file by default ... If I manually modify the
	firewall I can call the save function with init.d script, and it DOESN'T 
overwrite the current config, it rotates the files.

	Just *my* two cents worth


	Alistair

Re: Preferred way of preserving firewall rules on system reboots?

[Aleksandar Milivojevic]

Cedric Blancher wrote:
> Le jeu 13/05/2004 à 16:48, Aleksandar Milivojevic a écrit :
> 
>>What is your preferred way of preserving firewall configuration on 
>>firewall reboots?  I know this is probably distribution specific.
> 
> 
> Every time I need to save the ruleset :
> 
> 	iptables-save > /etc/firewall
> 
> Then, in a startup script (/etc/init.d/networking on my Debian), I add :
> 
> 	iptables-restore < /etc/firewall

This is something what Red Hat's init.d script is doing (if called with 
"save").  However, using this approach, there's no space left for any 
comments.  It is questionable I would still remember why I have some 
"special" set of rules one year from now, if there was no comments in 
the file.  And it makes very hard for somebody else to change anything I 
created (something obvious to me might not be obvious to somebody else, 
hack it might not be obvious to me couple of months down the road).  I 
find having comments in configuration files very important.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7