On Mon, 2003-03-17 at 05:05, Jamin W. Collins wrote: > On Mon, Mar 17, 2003 at 01:21:08AM +0100, Aaron Isotton wrote: > > On Sun, 2003-03-16 at 16:03, Jamin W. Collins wrote: > > > > > Ditch the idea of iptable-save and iptables-restore. Create your > > > script in such a way that it flushes all existing rules on startup > > > and then builds all needed rules. If you'd like an example of how > > > thigs is done take a look at my script > > > (http://asgardsrealm.net/linux/firewall/). > > > > Hmm. That's the way I did it before (before having all these great > > ideas about iptables-save and iptables-restore). I don't very much > > like it, but that's the only way to do it reasonably, as it seems. > > Is there something particular that you dislike about this method? Or, > is it in some way lacking? > What I liked about using iptables-save and iptables-restore is that calling /etc/init.d/firewall stop would put the firewall exactly back into the state it was before; doing something like iptables -X iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT (and so on) will just put the firewall back into its current default configuration, which may or may not be what it was before calling /etc/init.d/firewall start. Aaron Isotton [ http://www.isotton.com ] -- Individualists unite!
Attachment:
signature.asc
Description: This is a digitally signed message part