On Tue, 2005-02-22 at 16:47, Aleksandar Milivojevic wrote: > Chris Miller wrote: > > [root@sea-fw1 ~]# /etc/init.d/iptables condrestart > > Flushing firewall rules: [ OK ] > > Setting chains to policy ACCEPT: filter nat [ OK ] > > Unloading iptables modules: > > > > Hangs there and never moves on. > > Are you really sure you want to do everything that iptables script does > when restarting? > > While it might seem cleaner to completely reset firewall each time you > change its configuration, it has some dirty consequences. > > By unloading nat (and related) contrack modules, you will loose all > connection tracking information. While in some cases this might be just > what you wanted to do, usually you don't want to affect existing > connections. Imagine the frustration of somebody who was downloading > 3GB DVD image from your FTP server. And than you restarted your > firewall when his transfer was almost complete. His connection becomes > history. Now imagine you had 20 such users doing transfers at the time > firewall was restarted. > > Also, have in mind that by doing /etc/init.d/iptables restart, there > will be that small window when you do not have any firewall, and a very > short period when you have firewall with no rules at all. If there's an > error in new /etc/sysconfig/iptables file, you'll be left with firewall > with no rules loaded. > > If you are using /etc/sysconfig/iptables file to store your firewall > config, just do: > > # iptables-restore /etc/sysconfig/iptables > > This will load rules into the kernel, while preserving all state > information that existed previously (because contrack module is not > unloaded). > > By doing iptables-restore, the new rules will simply replace the old > rules in your running firewall in a single atomic operation. If loading > of new rules fails, the old rules stay in effect. Your firewall is all > the time up, running and fully operational. > > -- > Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited > Systems Administrator 1499 Buffalo Place > Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 That helps more then you will ever know. Thank you.
