Firewall settings unworkable
Thomas Woerner
twoerner at redhat.com
Thu Oct 7 09:11:01 UTC 2010
On 10/06/2010 08:31 PM, Richard W.M. Jones wrote:
> Seems quite complex. What's wrong with a directory:
>
> /etc/iptables.d/
>
> where RPMs like libvirt just drop the required additional rules (in a
> separate chain if you like) and restart the iptables service? It's
> low-tech but simple and it's all that libvirt needs.
>
> Rich.
>
I have thought a lot about the iptables.d directory. It is a nice thing
if your firewall is static and there are no dynamic elements like
wireless networks or services or programs requesting to open a port and
also if the rule representation would be non-ambiguous.
Saving the rules with service ip*tables save is hard to do with this
because you you have to check if the rules in the firewall match rules
in one or more of the files to prevent to have double, triple, .. rules
every time you are saving them. The biggest problem here is though that
ip*tables are reformatting and also changing parameters from the
external to the internal representation (see icmp types, marks, insert
id's, addresses, .. ). If you are saving, then you will get the internal
representation, which might be different to the one you have in the
file. Therefore simple rule matching is impossible to decide if the rule
is the same or not. You have to actively parse and compare every single
parameter. Insert id's for example are completely lost in the internal
representation.
Using the ip*tables commands to add and remove rules is working, because
it does not matter if you are using names or id's and so on, because it
matches the internal representation in netfilter.
Ciao,
Thomas
More information about the devel
mailing list