[Firehol-support] Improving FireHOL
Vincent Danjean
vdanjean.ml at free.fr
Sun Feb 25 20:52:46 GMT 2007
Carlos Rodrigues a écrit :
> On 2/25/07, Vincent Danjean <vdanjean.ml at free.fr> wrote:
>> I'm not telling that FireHOL must be run in two parts on two different
>> machines. I'm just telling that there is not a lot of work to do so that
>> this is possible. And sometimes this would be really useful, even if
>> there
>> is some limitations from the 'normal' mode.
>
> I guess there's three ways to do this:
>
> 1. You can load the rules on the source machine, dump them with
> iptables-save, and then load them in the target machine with
> iptables-restore.
The target machine does not have the same interfaces. I'm not sure this
will really work (whereas we can load rules with iptables for interfaces
not present on the machine).
> 2. You can change firehol so that it dumps the "iptables ..." commands
> instead of running them. And then run the output on the target
> machine.
Sorry for not having being clear enough, but this is exactly what I want
to do.
> 3. You can change firehol so that it generates output compatible with
> iptables-restore, which has the problems described by the firehol
> author in the post I referenced.
Yes, and I agree with the facts describe in this post.
> Well, I could certainly use option 2... and it doesn't seem all that
> difficult to implement...
;-) Sure. I'm glad we agree on this.
I will come with a series of patches in a few days (or weeks, depending
on my free time).
Thanks for your input.
Vincent
More information about the Firehol-support
mailing list