| View previous topic :: View next topic |
| Author |
Message |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23082
|
 Posted: Tue Dec 11, 2012 2:48 am Post subject: |
 |
|
| If you connect to an untrusted network, I recommend running a packet filter. You may not need one, but security is about defense in depth. If the attacker cannot contact your system, then there is no possibility that a bug or mistaken configuration in some server could allow the attacker to advance, because he will never talk to it. |
|
| Back to top |
|
 |
libertytrek
Apprentice
Joined: 18 Jul 2007
Posts: 258
|
| Posted: Sat Dec 15, 2012 2:46 pm Post subject: |
|
|
| Hu wrote: | | Unless you have changed your /etc/conf.d/iptables file, that is the wrong filename to edit. The default here is /var/lib/iptables/rules-save. |
Ok, I encountered this, and am having a weird problem...
/etc/conf.d/iptables definitely is configured to save rules-save to /var/lib/iptables, and the date/time of the file changed when I ran iptables-save after making changes to the running config, but it still contained references to --state (content didn't appear to update).
So, I mv'd the old file and reran iptables-save - no file was created. Touched rules-save, reran iptables-save, file was not updated.
The problem I'm having right now is when I try to restart iptables, it gives me:
Well, now I'm really confused... apparently after mving the old file, it now restarts without an error *and* contains the correct modifications...
So, how can I find out where iptables is *really* storing rules-save?
Oh - this is on a Linode hosted VM slice... |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23082
|
| Posted: Sat Dec 15, 2012 5:45 pm Post subject: |
|
|
| Do you mean the command iptables, the command iptables-save, or the Gentoo initscript iptables? The first produces output unsuitable for use here. The second writes to stdout, so is not saved unless its caller redirects stdout. The third writes to the location specified in /etc/conf.d/iptables. |
|
| Back to top |
|
|
libertytrek
Apprentice
Joined: 18 Jul 2007
Posts: 258
|
| Posted: Sat Dec 15, 2012 9:30 pm Post subject: |
|
|
| Hu wrote: | | Do you mean the command iptables, the command iptables-save, or the Gentoo initscript iptables? The first produces output unsuitable for use here. The second writes to stdout, so is not saved unless its caller redirects stdout. The third writes to the location specified in /etc/conf.d/iptables. |
Ok, I was talking about the command iptables-save. I thought that would save the rules to the rules-current file specified in /etc/conf.d/iptables.
I'm confused as to what good sending output of iptables-save to stdout accomplishes? If it is just doing that then it isn't 'saving' it at all, it is just outputting it to the screen (unless of course it is redirected).
Anyway, you're right, restarting iptables again using the gentoo init script updated the file as it should.
Thanks! |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23082
|
| Posted: Sat Dec 15, 2012 9:59 pm Post subject: |
|
|
| It saves an atomic snapshot of the rules to stdout, which you can then post-process in any way you want, whether that is adding/deleting/modifying rules, compressing the rule list, writing it to a file, or streaming it over a network connection. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
