[Firehol-support] About save and iptables restore
firehol at synthesys.it
Fri Jul 20 17:05:05 BST 2007
I have a question about this point:
save Start the firewall and then save it using /sbin/iptables-save to
Since v1.64, this is not implemented using /etc/init.d/iptables save
because there is a bug in some versions of iptables-save that save invalid
commands (! --uid-owner A is saved as --uid-owner !A) which cannot be
restored. FireHOL fixes this problem (by saving it, and then replacing
--uid-owner ! with ! --uid-owner ).
Note that not all FireHOL firewalls will work if restored with:
/etc/init.d/iptables start because FireHOL handles kernel modules and might
have queried RPC servers (used by the NFS service) before starting the
firewall. Also, FireHOL automatically checks current kernel configuration
for client ports range. If you restore a firewall using the iptables
service your firewall may not work as expected.
I tried to restore a previously saved iptables config, and suddenly, after
a reboot, ftp
for passive mode didn't work anymore. I understand it is due to the fact
that kernel haven't
loaded ip_nat_ftp, ip_conntrack_ftp modules.
Would you think it would be possible to save all the modules required by
firehol in the
iptables config file (i.e. as a comment in the second line, like this
# insmod: ip_nat_ftp ip_conntrack_ftp ...
since now it's firehol itself to generate iptables save script, it could
handle also this)
so that with a simple function in iptables init script, that checks for #
insmod: presence and
loop through them for preload, could solve the problem with kernel modules
A small update to iptables init script to handle this case, would allow a
faster setup than
what's required by FireHol to create the rules set.
Just my $0.02 ... tell me your opinion.
More information about the Firehol-support