Ville Walveranta
2013-Apr-09 21:20 UTC
Exporting current rules from Shorewall in dry-run style?
Is there a way to export the current ruleset from Shorewall in a way that would produce output comparable to iptables-save, without making those rules effective? I know there is "shorewall compile", but the resulting script does not appear to be diff-able (at least in a meaningful way :) with the output from iptables-save, even when the script segments are stripped off. The use-case for the above is this: I''m working on a firewall that used to be Shorewall-managed, but because refreshing the rules via "shorewall safe-restart" terminated active VoIP streams, admins started making direct iptables changes. The two rulesets (Shorewall vs. vanilla iptables) diverged over time, and while the VoIP connections have moved off of the segment, the differences haven''t been settled. Being a a live environment, it would be preferable if I could compare and re-implement the rules in Shorewall before switching back. Being able to diff the rules currently in use against those currently defined in Shorewall would make the work much easier. Thanks for any insights on this! ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
Tom Eastep
2013-Apr-09 21:55 UTC
Re: Exporting current rules from Shorewall in dry-run style?
On 04/09/2013 02:20 PM, Ville Walveranta wrote:> Is there a way to export the current ruleset from Shorewall in a way > that would produce output comparable to iptables-save, without making > those rules effective? I know there is "shorewall compile", but the > resulting script does not appear to be diff-able (at least in a > meaningful way :) with the output from iptables-save, even when the > script segments are stripped off. >shorewall check -r -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter