After I''ve played with ipsets for several days, I''m beginning
to become
disenchanted with the way the SAVE_IPSETS=Yes works.
I spent almost an hour configuring a bunch of ipsets to be just the way
that I wanted them only to wipe them out with a "shorewall restart"
:-(
So, I think that I will change the implementation as follows:
a) The ipset contents will only be restored from /var/lib/shorewall in
the following cases:
1) "shorewall restore" (or "shorewall -f start")
2) When "start" or "restart" fails and the entire
configuration
is restored from a "save" snapshot in /var/lib/shorewall.
b) You can use the "ipset -S" command to save a file called
"ipsets" in
a shorewall configuration directory. For example, if you create
/etc/test and copy some files from /etc/shorewall for modification, you
can also fiddle with the ipset contents and save the result in
/etc/test/ipsets. Then when you "shorewall try /etc/test", or
"shorewall
restart /etc/test", the ipsets will be loaded from /etc/test/ipsets.
You can also do the same in /etc/shorewall of course.
Note that it is still possible to mess yourself up but maybe not so
badly as with the 2.3.0 code.
I''m open to suggestions. I have also created an /etc/init.d/ipset
script
for my Debian firewall that can load my ipsets before I start Shorewall.
That keeps ipsets separate from Shorewall which may be the best plan in
the long run.
Suggestions are welcome.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
