deepstar+NRpGDEuW at singularity
Sep 7, 2007, 12:06 PM
Post #3 of 8
On Fri, Sep 07, 2007 at 08:46:42PM +0200, Maximilian Wilhelm wrote:
> > The result is that for 1 minute, some traffic can get through the firewall rules
> > while other can not. We have had problems with spam getting through to
> > mailservers behind the firewall, because not all firewall rules were loaded.
> That problem can be solved.
> man iptables-restore
iptables-restore takes a file as input, not a series of iptables
commands. This means I would have to edit the file manually, not
something I want to do with 7000 firewall rules.
> > Using namespaces would make it possible to load all rules in another namespace
> > and when all rules are loaded, a switch can be toggled to switch over to the new
> > ruleset atomically.
> That would be most probably nothing different to a iptables-restore.
> If you want to emulate that, load your 7000 iptables rules on a
> temp-machine, use iptables-save, copy the file to your firewalls and run
That looks somewhat complicated to me. Loading the rules on another
machine, with the only purpose to generate an iptables-restore file,
then copying that to the real firewall and loading it there.
iptables-restore can indeed be a solution, but then only if iptables can
use it as a staging area. That way you can tweak the firewall config
with the iptables command untill it fits your needs, before sending the
entire file to kernelspace with iptables-restore.
Also, this assumes that nothing will go wrong when entering the
firewall rules into kernel space, which means userspace and kernelspace
need to be in synch module-wise