Menu
▾
▴
Re: [Devil-Linux-discuss] is there a life after fwbuilder?
|
From: Frank W. <Fra...@cg...> - 2016-08-10 13:34:59
|
Hi Udo, do you use the 'use iptables-restore' option? I have not encountered the problems you describe at the moment. I use this option because reloading the rules is almost instant whereas it can take a minute on a big ruleset. Still, I will need an alternative to fwbuilder eventually.... Use iptables-restore to activate policy If this option is turned on, compiler generates firewall script in different format and uses iptables-restore script to load it. Both all iptables commands and the call to iptables-restore to load them are parts of the generated script, you just need to execute this script on the firewall. The advantage of this method is that operation of loading policy using iptables-restore is atomic, that is, either the whole the new policy loads into kernel memory, or none of it does. If new policy has syntax errors, it will not load. If generated script does not use iptables-restore to activate the policy, it may load partially if there is an error in one of the rules somewhere in the middle. Using iptables-restore helps avoid this problem. On 2016-08-04 08:38, Udo Lembke wrote: > Hi, > just an remark. I had switch back from an dl1.8 firewall to dl1.6.9 > because the firewall script generated with fwbuilder work not right with > the new iptables. > First it's looks good, but after add/remove rules we had the effect, > that old rules was extend (not fresh created) with new content!! > Extremly dangerous. > Will take a look at shorewall next week... > > Udo > > On 09.05.2016 14:50, Frank Weis wrote: >> Hi fellow DL-Users, >> >> I know that this is probably not the best place to ask this, but I hope >> you don't mind me picking your clustered brains : >> >> I have >60 DL firewalls in operation, and the fact that fwbuilder >> development is halted is increasingly concerning me. The generated policies >> use constructs that become obsolete or even wrong with recent netfilter >> versions (ie 'any ICMP' in a NAT rule is no longer supported in DL-1.8's >> iptables). >> >> How do you people address this? What do you use to generate your >> firewall rules? Any suggestions for me? >> >> Thanks a lot in advance, >> >> Frank >> > > ------------------------------------------------------------------------------ > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss -- *Frank Weis*Conseiller informaticien LE GOUVERNEMENT DU GRAND-DUCHÉ DE LUXEMBOURG Ministère de l’Éducation nationale, de l’Enfance et de la Jeunesse Centre de gestion informatique de l’éducation eduPôle - Walferdange Route de Diekirch, L-7220 Walferdange _Adresse postale_ : B.P. 98, L-7201 Bereldange Tél. : (+352) 247-85973 . Fax : (+352) 247-85174 E-mail : Fra...@cg... <mailto:Fra...@cg...> www.cgie.lu <http://www.cgie.lu/> www.men.lu <http://www.men.lu/> www.gouvernement.lu <http://www.gouvernement.lu> Ce message et toutes pièces jointes sont établis à l'intention exclusive de ses destinataires. Ils peuvent contenir des informations confidentielles. Si vous recevez ce message par erreur, merci de le détruire et d'en avertir immédiatement l'expéditeur. Toute utilisation de ce message non conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. Ce message a fait l'objet d'un traitement anti-virus. Le contenu de ce message et des pièces jointes ne pourrait engager la responsabilité du ministère que s'il a été émis par une personne dûment habilitée agissant dans le strict cadre des fonctions auxquelles elle est employée et à des fins non étrangères à ses attributions. |
