-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Aleksandar Milivojevic wrote: | Bernd Radinger wrote: | |> in /etc/sysconfig/iptables-config change the configuration to: |> |> IPTABLES_MODULES_UNLOAD="no" |> |> I was told that fixes the problem | | | It probably will, since he was hanging on module unload. It will also | preserve connection tracking information. However, even with that | option set, "iptables restart" will still flush all rules, set default | policy to accept, and than start firewall from scratch (so you will be | wide open for that small time window, enough for a packet or two to pass | by, which is sometimes all it takes to brake into the machine). It is | usually better to simply load new rules. And you can't use "iptables | start" either, because it is doing the same thing (basically, "start" | and "restart" are effectivly the same, with "restart" having an option | to save fw rules before stopping the firewall). | | I've raised some concerns some time ago on bugzilla about iptables | script and proposed (if I remember correctly) that either "start" | shouldn't be unloading firewall rules, or that new option for "restart" | be implemented (that would only load new rules). I was told that | there's no value in doing that since time window is too small (not | really, if firewall is under attack from inside and (inside) attacker | can guess aprox. time when firewall is to be restarted), and to modify | my local iptables scripts if I don't like the way it is currently done. |
While the time to restart iptables is not very high, I do agree that something should be added to the restart script. Would there really be a huge problem with adding reload to the script? I know I usually have a problem restarting a firewall through SSH when I am translating ports. ~ I ssh to a different port than 22, but prerouting rules translate it to 22. When I restart while using ssh, I get kicked out if it is a large ruleset. If it is a small ruleset, I am fine. My only other option is to be at the local console to restart iptables. If reload was an option so that connections were not broken, that would help a lot.
- --
Nathaniel Hall, GSEC Intrusion Detection and Firewall Technician Ozarks Technical Community College -- Office of Computer Networking
halln@xxxxxxx 417-447-7535 GPG Public Key ID: 0xAC187312 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32)
iD8DBQFCHKKAc+QrUawYcxIRAiqKAJ9VpAH8KagMAEOp10DZQt1DXVfafQCbBNck oQLf+w3w9kgzpgVe+HVXNqI= =hHGR -----END PGP SIGNATURE-----