Mailinglist Archive: opensuse-factory (956 mails)
| < Previous | Next > |
Re: [opensuse-factory] Time to rehash SuSEFirewall2
- From: Olipro <olipro@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 8 Oct 2011 15:36:02 +0100
- Message-id: <201110081536.03140.olipro@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Apologies for the duplicate, Amavisd 2.7.0 in the Mail repo borked my
mailserver.
On Saturday 08 Oct 2011 15:27:25 Olipro wrote:
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx
mailserver.
On Saturday 08 Oct 2011 15:27:25 Olipro wrote:
Hello Folks,--
So, just offering my opinion on what I personally feel is an "issue" for
OpenSUSE with regards to its firewall.
Currently, SuSEFirewall2 invokes ip(6)tables each time it needs to add a
rule - this goes completely against what is advocated by the Netfilter
developers as it is not atomic and is costly in terms of performance;
iptables-restore on the other hand, is atomic and restores everything in
one fell swoop.
Additionally, whilst SuSEFirewall2 does provide for allowing you to
configure your own rules, it's not particularly robust, nor supported.
Thus, my suggestion is as follows:
Modify SuSEFirewall2 so that rule building happens *once* and from that
point, ip(6)tables-save and ip(6)tables-restore is all that gets used.
SuSEFirewall2 need only do a rebuild if the rules are modified.
Doing it this way carries the benefit that initialisation of Netfilter at
bootup will be far more efficient. It also has the benefit that any
advanced user is free to customise their iptables ruleset as they see fit,
currently, the only other way I have found to do that is dragging across
iptables scripts from Enterprise Linux and disabling SuSEFirewall2.
Regards,
Oliver
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx
| < Previous | Next > |