Neil, I didn't want this query to the list go by without notice.
Thanks for bringing up the topic of iptables. This is indeed a very crucial file to keep in sync with what's running in the kernel on production hosts. I hadn't seen the articles, so they're now on my list of important reads (along with cfengine's regexp pattern matching methods...). We're not doing anything quite yet, but I can see a need for it here where I work. I'd be interested in other responses. deb On 12/29/10 11:25 AM, no-re...@cfengine.com wrote: > Forum: Cfengine Help > Subject: Iptables and Cfengine > Author: neilhwatson > Link to topic: https://cfengine.com/forum/read.php?3,19976,19976#msg-19976 > > I've been looking at Mark's release of the Cloud Pack(1). In it there is a > policy for maintaining Iptables(2). This is trickier than one might think. > The promise shown will keep the saved version of what Iptables rules should > be running correct. It does not address what is actually running. New rules > can be inserted into the kernel without altering the Iptables 'save' file. > What to do? > > In the past I have compared the output of iptables -L with the ideal output > stored in file. If it is different then I reload my master rules. I am > curious what others have done. > > 1. http://www.cfengine.org/cftimes/articles/0000000048.html > 2. > http://source.cfengine.com/browse/copbl/trunk/OrionCloudServices/iptables.cf?revision=65&view=markup > > _______________________________________________ > Help-cfengine mailing list > Help-cfengine@cfengine.org > https://cfengine.org/mailman/listinfo/help-cfengine _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
