> Thanks for the reminder. I had updated the article but had neglected to
> publish the updated version.
couple of comments, as this useful feature adds both flexibility and some
config complexity
fwiw, it's a bit fuzzy to me,
reading
...
Beginning with Shorewall 4.6.4, you can save selective ipsets by
setting SAVE_IPSETS to a comma-separated list of ipset names. You can also
restrict the group of sets saved to ipv4 sets by setting SAVE_IPSETS=ipv4.
...
the context for that SAVE_IPSETS=comma-separated-list is stronly implied to be
in shorewall(6).conf, rather than in shorewall-init, but it's not, currently
explicitly stated
reading
...
Prior to Shorewall 4.6.4, SAVE_IPSETS=Yes in shorewall.conf won't work
correctly because it saves both IPv4 and IPv6 ipsets. To work around this
issue, Shorewall-init is capable restoring ipset contents during 'start' and
saving them during 'stop'. To direct Shorewall-init to save/restore ipset
contents, set the SAVE_IPSETS option in /etc/sysconfig/shorewall-init
(/etc/default/shorewall-init on Debian and derivatives). The value of the
option is a file name where the contents of the ipsets will be save to and
restored from. Shorewall-init will create any necessary directories during the
first 'save' operation. If you configure Shorewall-init to save/restore ipsets,
be sure to set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.
...
putting it all together, it's unclear, e.g., if
(1) i'm using v >= 4.6.4
(2) want SW to save & restore only specified IPv4 & IPv6 ipsets
so, I'd 1st configure
/shorewall.conf
SAVE_IPSETS=comma-separated-list-of-ipv4-ipsets
/shorewall6.conf
SAVE_IPSETS=comma-separated-list-of-ipv6-ipsets
then
(1) what should the SAVE_IPSETS= setting in /etc/default/shorewall-init
be?
(2) if it's =N or =(null), then at what SW stages are the IPSETS
saved/restored? the para above states what happens when it =Y in
/etc/default/shorewall-init ...
(3) iirc, the dynamic_blacklist IPSET save/restore is handled
*differently* -- it's *always* saved/restored, is persistent across SW
start/stop/restart & system reboot, and does (should?) NOT need to be specified
in SAVE_IPSETS=
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
