I had to set up a linux firewall the other day, and I used the iptables script generating program shorewall. While pulling my hair over how ugly the iptables stuff (even via shorewall) is compared to OpenBSDs nice clean PF syntax, I did find one very nice feature in shorewall - safe restart.
When safe restarting, shorewall will implement all rules in the iptables config files, then give the user a prompt: keep rules y/n? If 'yes' the rules are kept and everyone is happy. If 'no', iptables are disabled and all traffic let in. If no answer then default to answer 'no' after 60 seconds. Very useful, even if just for the added peace of mind when applying new changes. Is there a ready made script accomplishing this for openbsd / pf? Or any plans of building such functionality? Christian
