From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-151585-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id CC0561381F3
	for <garchives@archives.gentoo.org>; Sun, 13 Oct 2013 21:45:57 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 4DC0DE0A40;
	Sun, 13 Oct 2013 21:45:52 +0000 (UTC)
Received: from icp-osb-irony-out4.external.iinet.net.au (icp-osb-irony-out4.external.iinet.net.au [203.59.1.220])
	by pigeon.gentoo.org (Postfix) with ESMTP id BC8EEE0A03
	for <gentoo-user@lists.gentoo.org>; Sun, 13 Oct 2013 21:45:50 +0000 (UTC)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AlYLAC4UW1I6B3M//2dsb2JhbABZgwfCcwICgRoWdIIlAQEFeBELDQsJFg8JAwIBAgFFEwYCAQGIAbx+jnZjFoQNA4k6jkuGOCeLI4MxLw
X-IronPort-AV: E=Sophos;i="4.93,487,1378828800"; 
   d="scan'208";a="153572713"
Received: from unknown (HELO moriah.localdomain) ([58.7.115.63])
  by icp-osb-irony-out4.iinet.net.au with ESMTP; 14 Oct 2013 05:45:41 +0800
Received: from localhost (localhost [127.0.0.1])
	by moriah.localdomain (Postfix) with ESMTP id 2368410327
	for <gentoo-user@lists.gentoo.org>; Mon, 14 Oct 2013 05:45:41 +0800 (WST)
X-Virus-Scanned: amavisd-new at lan.localdomain
Received: from moriah.localdomain ([127.0.0.1])
	by localhost (moriah.lan.localdomain [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Jc1j47l9oiC8 for <gentoo-user@lists.gentoo.org>;
	Mon, 14 Oct 2013 05:45:28 +0800 (WST)
Received: from [192.168.44.3] (moriah [192.168.44.3])
	by moriah.localdomain (Postfix) with ESMTP id 720DF65FD
	for <gentoo-user@lists.gentoo.org>; Mon, 14 Oct 2013 05:45:28 +0800 (WST)
Message-ID: <525B1478.3090305@iinet.net.au>
Date: Mon, 14 Oct 2013 05:45:28 +0800
From: William Kenworthy <billk@iinet.net.au>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130928 Thunderbird/17.0.9
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: scripted iptables-restore
References: <loom.20131003T210545-580@post.gmane.org> <524DD388.9020507@fastmail.co.uk> <524F39F6.4040409@orlitzky.com> <slrnl5f9ik.or9.vaeth@lounge.imp.fu-berlin.de> <E1VVIat-0001XR-Ml@lounge.imp.fu-berlin.de> <525AAADE.7040700@orlitzky.com> <slrnl5leg8.a3q.vaeth@lounge.imp.fu-berlin.de> <525ACC38.8060008@orlitzky.com> <slrnl5lvc2.cda.vaeth@lounge.imp.fu-berlin.de>
In-Reply-To: <slrnl5lvc2.cda.vaeth@lounge.imp.fu-berlin.de>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Archives-Salt: bc6a0cd0-f501-41d4-972d-94f922f9f700
X-Archives-Hash: fe808354ea68d1e0b7212d105bb0eb26

On 14/10/13 04:07, Martin Vaeth wrote:
> Michael Orlitzky <michael@orlitzky.com> wrote:
>>>> [...]
>>>> If you have a million rules and you need to wipe/reload them all
>>>> frequently you're probably doing something wrong to begin with.
>>>
>>> I don't know how this is related with the discussion.
>>> The main advantage of using iptables-restore is avoidance of
>>> race conditions. A secondary advantage is a speed improvement;
>>> in my case, the machine boots about 2 seconds faster which can
>>> be a considerable advantage if you start virtual machines.
>>>
>>
>> I was just reiterating that there's not much benefit to save/restore if
>> you're doing things properly (pontification alert!).
> 
> For a laptop of a scientist like me this is not true at all - it must
> often be connected in a different environment with different
> local nets etc.
> Also for other things (like portknocking using the recent module)
> you need rather complex rules which are better rewritten by a script,
> especially if the length of a portknocking sequence changes.
> Like passwords, these sequences should better not stay the same for
> too long...
> 

...

If you are going to go to this bother ... why not use shorewall, create
a custom configuration for each site (including any changes to services)
and and have your script just copy them in and restart the various
services including shorewall?  I have a number of networks from hotspots
to places where I need combinations of vpns, web servers and asterisk
available for demonstrations in lecture theatres through to travelling
and using hotel networks.

The iptables save feature gets a bit difficult to use with complex
setups and if you are doing something dynamic with the rules (fail2ban
for instance) it can save inappropriate rules which need manual culling.

I use a simple script with autosetup using network-manager (yuk,
horrible thing!) to detect known gateways and trigger the script with
that argument for either wifi or cable as appropriate  (or setup for
anonymous hotspot for unknown wifi, basic dhcp if unknown cable) - this
is on a macbook air if that matters.

BillK