> I am working on setting up a firewall on a server/router (see
> http://wiki.debian.org/green/Router ). I have considered several different
> firewall packages, but am more comfortable just running iptables in a shell
> script.
>
> However, iptables scripts usually begin with a flush, and then it takes time to
> add all those rules, plus some possible interruption to traffic meanwhile.
> What about if only a small change has been made? Does iptables-restore flush
> first, or is it able to just change the rule set as necessary to match? (And
> is there a term used to describe that feature?)
in the man page of iptables-restore:
-n, --noflush
don't flush the previous contents of the table. If not
specified, iptables-restore flushes (deletes) all previous contents of
the respective IP Table.
> If iptables-restore does not support that, does anyone know of another tool
> (available the repositories) that I can use that would allow me to write a
> parseable iptables rule set?
use "diff" to show the differences between rule sets. use "iptables
-D/-A/-I" respectively to remove/add rules.
> Thanks.
Tao
--
http://huangtao.me/
http://www.google.com/profiles/UniIsland
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/AANLkTimBfLf3S4w_JnLyRWLdN7Tyw6ipo9-Wt3tlCLTN@mail.gmail.com
No comments:
Post a Comment