Thread: [Fwbuilder-discussion] updating rules?
Brought to you by:
mikehorn
From: <dum...@gm...> - 2003-11-28 12:32:42
|
Hi, First of all great work with FWBuilder! The only thing with FWBuilder is the installing of new rules. Installing with fwb_install itself works fine but because of setting all Chains default policy to DROP IPTABLES -P OUTPUT DROP IPTABLES -P INPUT DROP IPTABLES -P FORWARD DROP and then flushing all old rules kills all connections on the firewall. Another solution would be do compare/diff the old ruleset with the new one and only clear the changes an replace them. This would also be very secure and not harm the connections on the firewall. So only particular changed rules could be cleared and the installation would work exactly like fw-1s. I think this could be done with some changes to policy compiler / .fw output and the fwb_install script. -- Thomas Schend mailto:dum...@gm... |
From: Vadim K. <va...@vk...> - 2003-11-29 19:44:19
|
On Nov 28, 2003, at 4:33 AM, dum...@gm... wrote: > Hi, > > First of all great work with FWBuilder! > > The only thing with FWBuilder is the installing of new rules. > Installing with fwb_install itself works fine but because of > setting all Chains default policy to DROP > > IPTABLES -P OUTPUT DROP > IPTABLES -P INPUT DROP > IPTABLES -P FORWARD DROP > > and then flushing all old rules kills all connections on the > firewall. > this is addressed in the FAQ actually. > Another solution would be do compare/diff the old ruleset with the > new one and only clear the changes an replace them. This would also > be very secure and not harm the connections on the firewall. > So only particular changed rules could be cleared and the > installation would work exactly like fw-1s. > > I think this could be done with some changes to policy compiler / > .fw output and the fwb_install script. > yes, this is good idea. We already do this in policy installer for Cisco PIX. --vk |