On Wed, May 28, 2014 at 8:13 AM, Joe <j...@jretrading.com> wrote:
> This package is relatively recent, and when I needed to address this
> problem, I had just built a Linux-From-Scratch system, so I took their
> init script skeleton and made a pseudo-daemon, entering a set of
> iptables commands at boot. This is an alternative approach, and may be
> more flexible, but requires work. It allows the use of alternative
> iptables rulesets, written as shell scripts, and therefore allows
> offline editing of the scripts and on-the-fly selection of them.
This is more-or-less the approach I use, too. I have a script that
runs a bunch of iptables commands, setting up the rules the way I want
them. Advantage of that over iptables-save is that I can annotate the
script with comments (eg if an IP block is banned, I can say what the
block represents, why it's banned, and importantly, *when* it was
banned, so I know to review it). Also may be convenient is scripting
ip{,6}tables to use a lot of the same rules; again, it's easy enough
when you have your source code as a bash/Python/Pike/etc script rather
than just a series of commands. Plays nicely with source control, too.
ChrisA
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/CAPTjJmoeACN=syV7KXSG6p2EFckqnCNH1tDhN2bYJb_CmQq=r...@mail.gmail.com
