On Sat, Sep 27, 2014, at 02:07 PM, Tom Eastep wrote:
> The Shorewall-init SAVE_IPSETS action takes place after the firewall is
> cleared. So in your /etc/shorewall/stopped script, if $COMMAND = clear,
> then you could clean and remove all of the ipsets that you *don't* want
> saved.
Aha. Do-able. But, imo, suboptimal.
That provides options to
save ALL ipsets (by not specifying anything)
seave THESE ipsets, by specifying !THESE (config by negative logic is
confusing)
there's NO convenient option to save ONLY the dynamic_blacklist ... unless I
specify ALL the !THESE
hm.
wait, sort-of.
re-reading multiple posts ...
if
/shorewall.conf
DYNAMIC_BLACKLIST=yes
SAVE_IPSETS=no
/shorewall.conf
SAVE_IPSETS=no
/shorewall-init
SAVE_IPSETS=no
then
DYNAMIC_BLACKLIST's IPSET *is* persistently saved to disk
across restart, stop+start & system r
reboot
AND
NO other IPSETs are save to disk
is that correct? if so, that's closer.
But, the moment I want to save even ONE IPSET other than DYNAMIC_BLACKLIST's,
and specify
/shorewall-init
SAVE_IPSETS=yes
then I have to add/specify the negative-logic in
/etc/shorewall/stopped
again, doable. seems very kludgy.
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
