[Firehol-support] About save and iptables restore

Mirko Buffoni firehol at synthesys.it
Fri Jul 20 17:05:05 BST 2007


Hi Costa,
Hi friends,

I have a question about this point:

=====
save	Start the firewall and then save it using /sbin/iptables-save to 
/etc/sysconfig/iptables.

Since v1.64, this is not implemented using /etc/init.d/iptables save 
because there is a bug in some versions of iptables-save that save invalid 
commands (! --uid-owner A is saved as --uid-owner !A) which cannot be 
restored. FireHOL fixes this problem (by saving it, and then replacing 
--uid-owner ! with ! --uid-owner ).

Note that not all FireHOL firewalls will work if restored with: 
/etc/init.d/iptables start because FireHOL handles kernel modules and might 
have queried RPC servers (used by the NFS service) before starting the 
firewall. Also, FireHOL automatically checks current kernel configuration 
for client ports range. If you restore a firewall using the iptables 
service your firewall may not work as expected.
=====

I tried to restore a previously saved iptables config, and suddenly, after 
a reboot, ftp
for passive mode didn't work anymore.  I understand it is due to the fact 
that kernel haven't
loaded ip_nat_ftp, ip_conntrack_ftp modules.

Would you think it would be possible to save all the modules required by 
firehol in the
iptables config file (i.e. as a comment in the second line, like this

# insmod: ip_nat_ftp ip_conntrack_ftp ...

since now it's firehol itself to generate iptables save script, it could 
handle also this)

so that with a simple function in iptables init script, that checks for # 
insmod: presence and
loop through them for preload, could solve the problem with kernel modules 
preloading?

A small update to iptables init script to handle this case, would allow a 
faster setup than
what's required by FireHol to create the rules set.

Just my $0.02 ... tell me your opinion.

Mirko





More information about the Firehol-support mailing list