From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id B90721381F3 for ; Sun, 13 Oct 2013 20:08:07 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5E89CE09EF; Sun, 13 Oct 2013 20:07:54 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 31E8FE09DD for ; Sun, 13 Oct 2013 20:07:52 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 50B6133F03B for ; Sun, 13 Oct 2013 20:07:52 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Flag: NO X-Spam-Score: -1.103 X-Spam-Level: X-Spam-Status: No, score=-1.103 tagged_above=-999 required=5.5 tests=[AWL=-0.565, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.536, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from smtp.gentoo.org ([IPv6:::ffff:127.0.0.1]) by localhost (smtp.gentoo.org [IPv6:::ffff:127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bzzHvfiBSMoB for ; Sun, 13 Oct 2013 20:07:45 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 6E6F433F010 for ; Sun, 13 Oct 2013 20:07:43 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VVRwz-0001w9-CN for gentoo-user@gentoo.org; Sun, 13 Oct 2013 22:07:41 +0200 Received: from lounge.imp.fu-berlin.de ([160.45.42.83]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 13 Oct 2013 22:07:41 +0200 Received: from vaeth by lounge.imp.fu-berlin.de with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 13 Oct 2013 22:07:41 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: Martin Vaeth Subject: [gentoo-user] Re: scripted iptables-restore Date: Sun, 13 Oct 2013 20:07:20 +0000 (UTC) Message-ID: References: <524DD388.9020507@fastmail.co.uk> <524F39F6.4040409@orlitzky.com> <525AAADE.7040700@orlitzky.com> <525ACC38.8060008@orlitzky.com> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: lounge.imp.fu-berlin.de User-Agent: slrn/pre1.0.0-26 (Linux) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Archives-Salt: ee0bef3a-8e40-4193-8317-e1987a327121 X-Archives-Hash: 35a5494f16a13b187c9b298fc33e9c1b Michael Orlitzky wrote: >>> [...] >>> If you have a million rules and you need to wipe/reload them all >>> frequently you're probably doing something wrong to begin with. >> >> I don't know how this is related with the discussion. >> The main advantage of using iptables-restore is avoidance of >> race conditions. A secondary advantage is a speed improvement; >> in my case, the machine boots about 2 seconds faster which can >> be a considerable advantage if you start virtual machines. >> > > I was just reiterating that there's not much benefit to save/restore if > you're doing things properly (pontification alert!). For a laptop of a scientist like me this is not true at all - it must often be connected in a different environment with different local nets etc. Also for other things (like portknocking using the recent module) you need rather complex rules which are better rewritten by a script, especially if the length of a portknocking sequence changes. Like passwords, these sequences should better not stay the same for too long... > Race conditions don't really seem that serious to me. Maybe, but I am not sure: There might be situations where it might be possible to keep a port open even when the rule is rewritten later on; then you need an open system only once... So, I could imagine that with some clever hacks an attacker might keep ports open and then do another attack later on. I am not an experienced hacker to know such attacks, but I know that races can be very subtle and provide attack vectors nobody has ever thought off. > All of security is a trade-off, and in my opinion, having > human-friendly, easily-readable rules (with error checking) It is easy to switch to one method for testing and then back when everything works: If you write $iptables ... throughout you just have to set iptables="iptables" or iptables="FvwmTables 4" respectively. In fact, the firewall-mv script does this (with a different mechanism) depending on a commandline switch. Moreover, I observed that the error checking works with iptables-restore as well as with iptables: It shows you almost the same errors, including a line number. So the only difference is that you have to count the lines in the testing output instead of directly seeing the command...