On 03/07/07, Oded Arbel <[EMAIL PROTECTED]> wrote:
*) The SysV script offers the option of "save" to call iptables-store for you. The standard sysadmin use case would be to setup the needed rules, then run '/etc/init.d/iptables save' and then reboot the machine and the rules will be loaded automatically. *) The behavior for saving automatically on "stop" is configurable, but defaults to off. If you want to go back to the old behavior, then you only need to change the line in the SysV iptables script that says IPTABLES_SAVE_ON_STOP="no" to say "yes".
As a long-time debian advocate, I'm hanging my head in shame about this - the above behaviour is the single advantage I found with FC/RH over latest Debian. As far as I can tell, Debian Sarge used to have some provisions for saving/restoring iptable rules automatically which were removedin Etch. I can buy the argument that the "industry best practice" dictated this removal but still it's a shame that each individual Debian sys admin has to figure out scripting of the iptavles-save/-restore on boot. As for the reason - I really suggest that you pursue the changelog entry
for this upstream to make sure, but I for one change my iptables rules from time to time to test things, and its very hard to make sure that you revert exactly to the previous version (and remembering to run iptables-restore after each iptables configuration session /is/ error prone). You wouldn't want that ad-hoc rules setup for test will be saved for posterity by mistake.
I can understand that argument, but a simple /etc/init.d/iptables save and something that automatically assumes that if there is some saved iptables-save output file in a reasonably pre-defined location then it is meant to be installed without having to manually script this on each server would go some way towards admin convenience without compromising security or tripping over unsuspecting admins, and I'm saying this as someone who doesn't have a problem digging my dirty fingers into the init.d scripts and/or adding my own stuff where it's required. Cheers, --Amos
