On Fri, 04 Oct 2013 17:58:14 -0400 Michael Orlitzky <mich...@orlitzky.com> wrote:
> On 10/03/2013 04:28 PM, Kerin Millar wrote: > > > > The iptables runscript is ideal for persisting the rules. However, > > during the initial construction of a non-trivial ruleset, I prefer > > to write a script that adds the rules. An elegant way of doing this > > is to use iptables-restore with a heredoc. The method - and its > > advantages - are described in this document (section 3): > > > > http://inai.de/documents/Perfect_Ruleset.pdf > > > > This advice is dubious in my opinion. The `iptables` command line is > the published interface to iptables. The iptables-restore syntax is an > implementation detail, subject to change at any time. > > Here are his arguments: > > 1. Calling iptables repeatedly is slow. > > Who cares? How often do you invoke the script? Once or twice a year > when you change it. > > 2. There is an opportunity for someone to bypass the rules between > dropping/recreating them. > > Again, you run the script once or twice a year. Turn off the interface > beforehand if a few microseconds per year is too long to run without a > firewall. > > > And my counterarguments: > > 1. The iptables-restore syntax is uglier and harder to read. > > 2. You get better error reporting calling iptables repeatedly. > > 3. The published interface will never change; iptables-restore reads > an input language whose specification is "whatever iptables-save > outputs." > > 4. A bash script is far more standard and less confusing to your > coworkers. > > 5. You can't script iptables-restore! What if you want to call sed, > cut, or grep on something and pass that to iptables? You can write a > bash script that writes an iptables-restore script to accomplish the > same thing, but how much complexity are you willing to add for next > to no benefit? > > Hi, Many people use netfilter for busy firewalls not just for set and forget firewalls. Having hundreds or thousands of rules and IPs makes managing netfilter with iptables problematic. That is when it's advisable to change the filter in one swoop with restore or ipset. Bottom line is your individual use case is just that, individual.
