On Mon, Dec 05, 2016 at 10:09:38PM +0200, Lars Noodén wrote:
[cut]
>
> What do you see as the advantage? I'm interested in hearing the
> rational for either /etc/iptables/ or /etc/network/ since iptables-apply
> and iptables-persistent are conflicting and unlikely to be resolved
> upstream in the immediate future.
>
The old Debian standard used to be /var/lib/iptables/, and I don't
know when this behaviour changed (especially because I never changed
it, despite the choices made by DDs). It might look somehow weird, but
it actually made a lot of sense: iptables rules define the current
state of iptables, and most of the directories in /var/lib/* are
indeed containing state information of daemons, services, and simple
utilities (think for instance to /var/lib/urandom/random-seed).
I know that in many situations firewall rules can be considered as a
"static" set of parameters, but if you also consider that:
- in large-scale environments iptables rules can be (and normally
are) changed dynamically, e.g. by an intrusion detection system
which can reset the DROP policy to specific classes of addresses, or
by an external load-balancing daemon which can decide to re-route
traffic to other working nodes according to some external rules;
- the normal routine in firewall testing is to load/dump different
configurations until everything works as you want;
- usually the same server can (or should, or must) have several
possible alternative sets of rules;
then you would agree that there is nothing written in stone when it
comes to firewall rules (read: nothing to be necessarily kept in
/etc/*/).
Hence, /var/lib/iptables/ seems indeed the perfect place to keep
(different possible sets of) iptables rules.
My2Cents
KatolaZ
--
[ ~.,_ Enzo Nicosia aka KatolaZ - GLUGCT -- Freaknet Medialab ]
[ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ]
[ @) http://kalos.mine.nu --- Devuan GNU + Linux User ]
[ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ]
[ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ]