On Tue, 2007-07-03 at 12:23 +0300, Maxim Veksler wrote: > On 7/2/07, Baruch Even <[EMAIL PROTECTED]> wrote: > > * Maxim Veksler <[EMAIL PROTECTED]> [070702 03:32]: > > > On 7/2/07, Lior Kaplan <[EMAIL PROTECTED]> wrote: > > > >Maxim Veksler wrote: > > > > > > > >Use iptables-save to save your current rules as to the iptables rules > > > >files. It will be loaded on the next reboot using iptables-restore.
> The most basic use case is for a sysadmin to configure rules and > expect them to survive reboot. This is the behavior he is familiar > with from nearly every enterprise FW device. Here, on Debian OTOH he's > instructed to script in /etc/network/if-pre-up.d to have the system > load iptables rule set on boot, reasonable except for the single issue > of him required to also _remember_ to iptables-save those rules on > each modification. I find this process error prone. The is not a > single utility (AFAIK) in Debian repository to automate this process. I'm running Fedora, which also no longer saves the rules when the iptables SysV script is stopped, but it still automatically loads them when the script is started. Assuming the Debian script is similar, which I think it is, I can offer the following insights: *) The SysV script offers the option of "save" to call iptables-store for you. The standard sysadmin use case would be to setup the needed rules, then run '/etc/init.d/iptables save' and then reboot the machine and the rules will be loaded automatically. *) The behavior for saving automatically on "stop" is configurable, but defaults to off. If you want to go back to the old behavior, then you only need to change the line in the SysV iptables script that says IPTABLES_SAVE_ON_STOP="no" to say "yes". As for the reason - I really suggest that you pursue the changelog entry for this upstream to make sure, but I for one change my iptables rules from time to time to test things, and its very hard to make sure that you revert exactly to the previous version (and remembering to run iptables-restore after each iptables configuration session /is/ error prone). You wouldn't want that ad-hoc rules setup for test will be saved for posterity by mistake. -- Oded ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
