[Firehol-devs] firehol at boot

[Tsaousis, Costa]

Hi all,

I just pushed a version of firehol with the following changes:

1. When a firewall is successfully activated, an iptables-restore
version of the newly activated firewall is saved to
/var/spool/firehol.
It saves ipv4, ipv6 rules and the iptables kernel modules required for them.
This happens always. Every successful activation, saves the rules in
/var/spool/firehol.

2. A new command line option has been added: restore
This checks if /etc/firehol/firehol.conf has been changed since the
last save of the files above.
If it has changed, it behaves like 'start'.
It it has not been changed, it quickly restores the firewall from the
saved files (including kernel modules). This normally takes less than
a sec.

3. When called with 'stop', it updates the saved files in
/var/spool/firehol, so that the usage counters of iptables (packets,
bytes) are updated too.

These changes allow you to use:

'firehol stop' at system shutdown or reboot
'firehol restore' at system boot to quickly restore the last active
firewall with updated counters.

(yes, it was very annoying to have a systemd powered system booting in
5 secs and wait 5 more seconds for firehol to be started :)

Keep in mind that:

- if you dynamically change the rules of the firewall (by running
iptables commands after the firewall has been activated), now these
rules will survive across reboots if you restore the firewall with
'firehol restore'.

- if you dynamically detect application ports in firehol.conf (like
the nfs service does), your firewall will be wrong after a reboot when
you restore it. You will have to execute 'firehol start' to detect the
new ports.

If you find any problems, please report them.

Regards,

Costa