From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 303601381F3 for ; Fri, 4 Oct 2013 22:34:03 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 540EEE094E; Fri, 4 Oct 2013 22:33:56 +0000 (UTC) Received: from vm.novsite.com (unknown [87.120.7.89]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2E76FE08E8 for ; Fri, 4 Oct 2013 22:33:55 +0000 (UTC) Received: from gacer.netixen.com (unknown [151.237.113.189]) by vm.novsite.com (Postfix) with ESMTPSA id 8EA625600AD for ; Sat, 5 Oct 2013 01:33:52 +0300 (EEST) Date: Sat, 5 Oct 2013 01:33:52 +0300 From: Dragostin Yanev To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Where to put advanced routing configuration? Message-ID: <20131005013352.1839eee7@gacer.netixen.com> In-Reply-To: <524F39F6.4040409@orlitzky.com> References: <524DD388.9020507@fastmail.co.uk> <524F39F6.4040409@orlitzky.com> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.17; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: 278a2e5c-0bdf-4585-8b49-1c57fdf98720 X-Archives-Hash: 81e8401e67e5cfb42d105dfdb8d56e9d On Fri, 04 Oct 2013 17:58:14 -0400 Michael Orlitzky wrote: > On 10/03/2013 04:28 PM, Kerin Millar wrote: > > > > The iptables runscript is ideal for persisting the rules. However, > > during the initial construction of a non-trivial ruleset, I prefer > > to write a script that adds the rules. An elegant way of doing this > > is to use iptables-restore with a heredoc. The method - and its > > advantages - are described in this document (section 3): > > > > http://inai.de/documents/Perfect_Ruleset.pdf > > > > This advice is dubious in my opinion. The `iptables` command line is > the published interface to iptables. The iptables-restore syntax is an > implementation detail, subject to change at any time. > > Here are his arguments: > > 1. Calling iptables repeatedly is slow. > > Who cares? How often do you invoke the script? Once or twice a year > when you change it. > > 2. There is an opportunity for someone to bypass the rules between > dropping/recreating them. > > Again, you run the script once or twice a year. Turn off the interface > beforehand if a few microseconds per year is too long to run without a > firewall. > > > And my counterarguments: > > 1. The iptables-restore syntax is uglier and harder to read. > > 2. You get better error reporting calling iptables repeatedly. > > 3. The published interface will never change; iptables-restore reads > an input language whose specification is "whatever iptables-save > outputs." > > 4. A bash script is far more standard and less confusing to your > coworkers. > > 5. You can't script iptables-restore! What if you want to call sed, > cut, or grep on something and pass that to iptables? You can write a > bash script that writes an iptables-restore script to accomplish the > same thing, but how much complexity are you willing to add for next > to no benefit? > > Hi, Many people use netfilter for busy firewalls not just for set and forget firewalls. Having hundreds or thousands of rules and IPs makes managing netfilter with iptables problematic. That is when it's advisable to change the filter in one swoop with restore or ipset. Bottom line is your individual use case is just that, individual.