Re: [Fwbuilder-discussion] IPTables restore script
Brought to you by:
mikehorn
Menu
▾
▴
Re: [Fwbuilder-discussion] IPTables restore script
|
From: <va...@vk...> - 2007-05-29 04:15:41
|
On May 28, 2007, at 12:14 PM, Henrik Woffinden wrote: > Hello list, > > I would like to know if I can get FWBuilder v2.1.11 (Build: 234) to > save > the script as IPTables-restore file? > I've tried that setting, but then it saves the shell script to do the > actual iptables-restore in the beginning of the file. > > Is there anyway I can make it save it as only the ruleset? no, there is no way to do it because generated script (potentially) does some other things besides setting iptables rules. For example, it may need to determine IP address of interfaces that obtain it dynamically, or add secondary IP addresses to interfaces, and so on. Although technically possible to generate "pure" iptables-restore file provided none of these functions are necessary for a given firewall object configuration and rule set, it would need a lot of code to do all the checks and verification for a very little benefit. > My FWBuilder installation is gonna manage 30 firewalls of IPTables. > They > already has start / stop scripts that does everything needed if I can > place the file in the right location, only containing the ruleset. note that you still need to activate new policy after you copy the file. This means you probably need to write your own script to install policy file and reload service "iptables". Since you will be writing your own script anyway, you could make it copy script generated by fwbuilder to /tmp, execute it there and then just run iptables-save to generate configuration in the iptables-resotore format in the standard place. If you do not plan to write your own installer script, you can add a call to iptables-save to the "epilog" section of the generated script and install using installer provided by fwbuilder GUI. The installer copies the script to the firewall and executes it there. Executing the script sets iptables rules and in the end generates standard iptables-restore file. Seems to be pretty simple. --vk |