From: Dragostin Yanev <gentoo+user@netixen.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Where to put advanced routing configuration?
Date: Sat, 5 Oct 2013 01:33:52 +0300 [thread overview]
Message-ID: <20131005013352.1839eee7@gacer.netixen.com> (raw)
In-Reply-To: <524F39F6.4040409@orlitzky.com>
On Fri, 04 Oct 2013 17:58:14 -0400
Michael Orlitzky <michael@orlitzky.com> wrote:
> On 10/03/2013 04:28 PM, Kerin Millar wrote:
> >
> > The iptables runscript is ideal for persisting the rules. However,
> > during the initial construction of a non-trivial ruleset, I prefer
> > to write a script that adds the rules. An elegant way of doing this
> > is to use iptables-restore with a heredoc. The method - and its
> > advantages - are described in this document (section 3):
> >
> > http://inai.de/documents/Perfect_Ruleset.pdf
> >
>
> This advice is dubious in my opinion. The `iptables` command line is
> the published interface to iptables. The iptables-restore syntax is an
> implementation detail, subject to change at any time.
>
> Here are his arguments:
>
> 1. Calling iptables repeatedly is slow.
>
> Who cares? How often do you invoke the script? Once or twice a year
> when you change it.
>
> 2. There is an opportunity for someone to bypass the rules between
> dropping/recreating them.
>
> Again, you run the script once or twice a year. Turn off the interface
> beforehand if a few microseconds per year is too long to run without a
> firewall.
>
>
> And my counterarguments:
>
> 1. The iptables-restore syntax is uglier and harder to read.
>
> 2. You get better error reporting calling iptables repeatedly.
>
> 3. The published interface will never change; iptables-restore reads
> an input language whose specification is "whatever iptables-save
> outputs."
>
> 4. A bash script is far more standard and less confusing to your
> coworkers.
>
> 5. You can't script iptables-restore! What if you want to call sed,
> cut, or grep on something and pass that to iptables? You can write a
> bash script that writes an iptables-restore script to accomplish the
> same thing, but how much complexity are you willing to add for next
> to no benefit?
>
>
Hi,
Many people use netfilter for busy firewalls not just for set and
forget firewalls. Having hundreds or thousands of rules and IPs makes
managing netfilter with iptables problematic. That is when it's
advisable to change the filter in one swoop with restore or ipset.
Bottom line is your individual use case is just that, individual.
next prev parent reply other threads:[~2013-10-04 22:34 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-03 19:27 [gentoo-user] Where to put advanced routing configuration? Grant Edwards
2013-10-03 20:28 ` Kerin Millar
2013-10-04 16:25 ` [gentoo-user] " Grant Edwards
2013-10-04 21:58 ` [gentoo-user] " Michael Orlitzky
2013-10-04 22:33 ` Dragostin Yanev [this message]
2013-10-11 7:18 ` [gentoo-user] " Martin Vaeth
2013-10-13 10:08 ` [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?) Martin Vaeth
2013-10-13 14:14 ` [gentoo-user] scripted iptables-restore Michael Orlitzky
2013-10-13 15:19 ` [gentoo-user] " Martin Vaeth
2013-10-13 16:37 ` Michael Orlitzky
2013-10-13 20:07 ` Martin Vaeth
2013-10-13 21:45 ` William Kenworthy
2013-10-14 12:08 ` Martin Vaeth
2013-10-14 13:27 ` William Kenworthy
2013-10-13 22:02 ` Michael Orlitzky
2013-10-14 11:49 ` Martin Vaeth
2013-10-14 14:26 ` Michael Orlitzky
2013-10-14 18:49 ` Martin Vaeth
2013-10-14 19:17 ` Michael Orlitzky
2013-10-14 20:31 ` Alan McKinnon
2013-10-15 1:06 ` Michael Orlitzky
2013-10-14 18:23 ` Tanstaafl
2013-10-14 18:52 ` Martin Vaeth
2013-10-14 19:40 ` Tanstaafl
2013-10-14 20:45 ` Alan McKinnon
2013-10-16 23:21 ` Walter Dnes
2013-10-17 6:59 ` Alan McKinnon
2013-10-18 2:30 ` Walter Dnes
2013-10-18 4:44 ` Alan McKinnon
2013-10-18 10:23 ` Tanstaafl
2013-10-18 11:19 ` Alan McKinnon
2013-10-18 14:05 ` Tanstaafl
2013-10-18 14:33 ` Alan McKinnon
2013-10-14 5:54 ` [gentoo-user] " Pandu Poluan
2013-10-14 5:57 ` [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?) Pandu Poluan
2013-10-14 11:52 ` [gentoo-user] " Martin Vaeth
2013-10-13 10:26 ` [gentoo-user] Where to put advanced routing configuration? shawn wilson
2013-10-13 13:53 ` Michael Orlitzky
2013-10-13 13:57 ` [gentoo-user] " Martin Vaeth
2013-10-05 21:01 ` [gentoo-user] " thegeezer
2013-10-06 16:16 ` [gentoo-user] " Grant Edwards
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131005013352.1839eee7@gacer.netixen.com \
--to=gentoo+user@netixen.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox