From: Michael Orlitzky <michael@orlitzky.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: scripted iptables-restore
Date: Sun, 13 Oct 2013 12:37:12 -0400 [thread overview]
Message-ID: <525ACC38.8060008@orlitzky.com> (raw)
In-Reply-To: <slrnl5leg8.a3q.vaeth@lounge.imp.fu-berlin.de>
On 10/13/2013 11:19 AM, Martin Vaeth wrote:
>>>
>> [...]
>> If you have a million rules and you need to wipe/reload them all
>> frequently you're probably doing something wrong to begin with.
>
> I don't know how this is related with the discussion.
> The main advantage of using iptables-restore is avoidance of
> race conditions. A secondary advantage is a speed improvement;
> in my case, the machine boots about 2 seconds faster which can
> be a considerable advantage if you start virtual machines.
>
I was just reiterating that there's not much benefit to save/restore if
you're doing things properly (pontification alert!). I should say first
of all that save/restore is perfect for reboots. If you're not
*changing* anything, of course save/restore is better, and suffers none
of the problems that I mentioned: you don't read it, the output is fed
directly as input, no errors should occur...
The bash script is used a couple times a year, and really is there to
serve as the specification for what your firewall should do.
For example, I'm rebuilding our MX today. I checked the config out of
git, ran iptables-config (our script), ran /etc/init.d/iptables save,
and the firewall is up and running. When will I run the script again?
The next time I rebuild the server? That's certainly the last time I ran
it. We have firewalls that change more often, but not so frequently that
the speed would be a problem if it were 1000x slower.
The MX firewall is actually updated many times per day and accumulates
many rules, but they're inserted/deleted in-place by fail2ban, so a full
wipe/reload doesn't occur. If you have frequently-changing permanent
rules -- say, lots of static NAT entries going in/out for new employees
-- then you should be doing insert/delete instead of a full reload just
the same. But, add the rule to your iptables script (with a comment!) so
that you have it on the record. Once every six months or so, run the
thing to make sure nobody made a copy/paste error.
Race conditions don't really seem that serious to me. Of course, if
you're using iptables for both authorization and authentication, then
you're already doing something wrong, and you should fix that instead of
trying to make the broken thing run faster. But if not, who cares if
you're vulnerable to a brute force attack for 2 seconds? If you're
worried about that, implement a password policy. The firewall is the
last layer of defense-in-depth; if the absence of a firewall gives you
nightmares, the absence of a firewall is not your problem.
All of security is a trade-off, and in my opinion, having
human-friendly, easily-readable rules (with error checking) will prevent
more problems over time than does eliminating the race condition.
next prev parent reply other threads:[~2013-10-13 16:37 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-03 19:27 [gentoo-user] Where to put advanced routing configuration? Grant Edwards
2013-10-03 20:28 ` Kerin Millar
2013-10-04 16:25 ` [gentoo-user] " Grant Edwards
2013-10-04 21:58 ` [gentoo-user] " Michael Orlitzky
2013-10-04 22:33 ` Dragostin Yanev
2013-10-11 7:18 ` [gentoo-user] " Martin Vaeth
2013-10-13 10:08 ` [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?) Martin Vaeth
2013-10-13 14:14 ` [gentoo-user] scripted iptables-restore Michael Orlitzky
2013-10-13 15:19 ` [gentoo-user] " Martin Vaeth
2013-10-13 16:37 ` Michael Orlitzky [this message]
2013-10-13 20:07 ` Martin Vaeth
2013-10-13 21:45 ` William Kenworthy
2013-10-14 12:08 ` Martin Vaeth
2013-10-14 13:27 ` William Kenworthy
2013-10-13 22:02 ` Michael Orlitzky
2013-10-14 11:49 ` Martin Vaeth
2013-10-14 14:26 ` Michael Orlitzky
2013-10-14 18:49 ` Martin Vaeth
2013-10-14 19:17 ` Michael Orlitzky
2013-10-14 20:31 ` Alan McKinnon
2013-10-15 1:06 ` Michael Orlitzky
2013-10-14 18:23 ` Tanstaafl
2013-10-14 18:52 ` Martin Vaeth
2013-10-14 19:40 ` Tanstaafl
2013-10-14 20:45 ` Alan McKinnon
2013-10-16 23:21 ` Walter Dnes
2013-10-17 6:59 ` Alan McKinnon
2013-10-18 2:30 ` Walter Dnes
2013-10-18 4:44 ` Alan McKinnon
2013-10-18 10:23 ` Tanstaafl
2013-10-18 11:19 ` Alan McKinnon
2013-10-18 14:05 ` Tanstaafl
2013-10-18 14:33 ` Alan McKinnon
2013-10-14 5:54 ` [gentoo-user] " Pandu Poluan
2013-10-14 5:57 ` [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?) Pandu Poluan
2013-10-14 11:52 ` [gentoo-user] " Martin Vaeth
2013-10-13 10:26 ` [gentoo-user] Where to put advanced routing configuration? shawn wilson
2013-10-13 13:53 ` Michael Orlitzky
2013-10-13 13:57 ` [gentoo-user] " Martin Vaeth
2013-10-05 21:01 ` [gentoo-user] " thegeezer
2013-10-06 16:16 ` [gentoo-user] " Grant Edwards
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=525ACC38.8060008@orlitzky.com \
--to=michael@orlitzky.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox