On 7/2/07, Baruch Even <[EMAIL PROTECTED]> wrote:
* Maxim Veksler <[EMAIL PROTECTED]> [070702 03:32]: > On 7/2/07, Lior Kaplan <[EMAIL PROTECTED]> wrote: > >Maxim Veksler wrote: > > > >Use iptables-save to save your current rules as to the iptables rules > >files. It will be loaded on the next reboot using iptables-restore. > > > > Ha? > > I must be missing something, I would like the rules to load > _automatically_ on next boot. > Using iptables-restore is great, provided that someone/something > invokes it on system reboot, that is exactly what I'm doing in the > script attached to my previous email. > > Is there already something that will handle this automatically?You can have up rules in your network configuration file /etc/network/interfaces, such an up rule can load the firewall ruleset. This can also be a pre-up rule to load the rules before the interface is up. Something like: iface eth0 inet dhcp pre-up iptables-restore < /root/iptables.rulez
Hello Baruch, Let me try explaining what is it that I find missing in Debian's iptables setup: The most basic use case is for a sysadmin to configure rules and expect them to survive reboot. This is the behavior he is familiar with from nearly every enterprise FW device. Here, on Debian OTOH he's instructed to script in /etc/network/if-pre-up.d to have the system load iptables rule set on boot, reasonable except for the single issue of him required to also _remember_ to iptables-save those rules on each modification. I find this process error prone. The is not a single utility (AFAIK) in Debian repository to automate this process. I think that the optimal work method would be for the system to write iptables rules on shutdown and have them restored back next boot. I'm doing this in my firewall script by taking actions on start|stop. Thus, you know that all you need to do is run iptables -A INPUT... to have your firewall ticking.
Cheers, Baruch ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
-- Cheers, Maxim Veksler "Free as in Freedom" - Do u GNU ? ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
