Michael Orlitzky <mich...@orlitzky.com> wrote: >>> [...] >>> If you have a million rules and you need to wipe/reload them all >>> frequently you're probably doing something wrong to begin with. >> >> I don't know how this is related with the discussion. >> The main advantage of using iptables-restore is avoidance of >> race conditions. A secondary advantage is a speed improvement; >> in my case, the machine boots about 2 seconds faster which can >> be a considerable advantage if you start virtual machines. >> > > I was just reiterating that there's not much benefit to save/restore if > you're doing things properly (pontification alert!).
For a laptop of a scientist like me this is not true at all - it must often be connected in a different environment with different local nets etc. Also for other things (like portknocking using the recent module) you need rather complex rules which are better rewritten by a script, especially if the length of a portknocking sequence changes. Like passwords, these sequences should better not stay the same for too long... > Race conditions don't really seem that serious to me. Maybe, but I am not sure: There might be situations where it might be possible to keep a port open even when the rule is rewritten later on; then you need an open system only once... So, I could imagine that with some clever hacks an attacker might keep ports open and then do another attack later on. I am not an experienced hacker to know such attacks, but I know that races can be very subtle and provide attack vectors nobody has ever thought off. > All of security is a trade-off, and in my opinion, having > human-friendly, easily-readable rules (with error checking) It is easy to switch to one method for testing and then back when everything works: If you write $iptables ... throughout you just have to set iptables="iptables" or iptables="FvwmTables 4" respectively. In fact, the firewall-mv script does this (with a different mechanism) depending on a commandline switch. Moreover, I observed that the error checking works with iptables-restore as well as with iptables: It shows you almost the same errors, including a line number. So the only difference is that you have to count the lines in the testing output instead of directly seeing the command...