On Thu, 2005-12-01 at 14:27 -0800, Kenneth Porter wrote: > I do backup my sysconfig file before messing with the firewall, but I > often edit it once I've backed it up. The format isn't too tough to > decipher. Each line has the stuff after "iptables -t majortable -A > minortablename". The major and minor tables are in groups. The > counters for each rule can optionally appear at the beginning of the > line in brackets. > > The big win in using the save file over individual rule invocations is > that it gets loaded into the kernel in one gulp, with only one locking > of the kernel structure. This makes it much faster when you have a lot > of rules. Some iptables helper programs can generate 100's of rules, > so this makes your firewall loading much less painful. When I first messed with iptables, there wasn't an interface. So I ended up writing a script file with my rules in it (as you'd type them into the CLI). Giving me an easy way to modify things (keeping some things the same, changing others), and an easy way to re-implement the same set of rules later on. The last line of the script saved the rules to the standard place, so they were implemented at bootup, just the same as you've described above. It worked well for me. -- Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.