Terry Porter writes:

> On Wed, 15 Oct 2008 21:27:58 -0400, Erik Funkenbusch wrote:
>
>> On Wed, 15 Oct 2008 11:57:18 -0500, Sinister Midget wrote:
>>
>>> Without taking a shot at what might or might not be at fault (I can't
>>> get my hands on it to take a look), there are ways to make it "reset"
>>> iptables (whatever that is) automatically, and nearly imperceptably by
>>> the users of the firewall. There are always workarounds, whether the
>>> problem is the program, or the errors are introduced by the problem at
>>> the keyboard.

>>
>> No, there is no way to reset iptables in this case. I've tried all the
>> normal solutions and they don't work. I have to unload all rules and
>> reload them, it's the only way i've been able to make it recover. This
>> kills all net connections that are using those rules.

>
> This stuff is iptables 101 Eric, WHAT are you doing messing around with
> this stuff when you have NO CLUE ?
>
> You can't even SPECIFY the problem properly!
>
> There is no 'UNLOAD' command there is only flushing the iptables rulesets
> and naturally this BLOCKS everything.


This is frequently called unloading the ruleset. Sigh. You ARE Kelsey
and I claim my 2c.

>
> Usually this takes the form of :-
> iptables -F
> iptables -t nat -F
>
> I have a little shell script that I use as a last ditch recovery tool
> should it be needed, and I leave this in the /root directory. It flushes
> the iptables ruleset and than opens everything up, by ACCEPTING all
> connections. *Don't* use this on your firewall while it's connected to
> the Internet!
>
> ..................iptc.sh.......................
> #!/bin/bash
> # Clear all tables:-
> iptables -F
> iptables -t nat -F
>
> # Enable all inputs/outputs:-
> iptables -A INPUT -i ethX -j ACCEPT
> iptables -A INPUT -i lo -j ACCEPT
> iptables -P OUTPUT ACCEPT
> .............................................
>
> Loading a new ruleset over an existing is pretty much instant and


"Loading"?!?!? Whoops! A self nuke. Nice one Terry.

> doesn't interfere with things (unless it removes important rulesets), I
> know as I do this a lot myself.


Wow. Changing the rulesets might interfere with things! Genius!

>
> But then I use FWbuilder http://www.fwbuilder.org/ to remotely admin
> iptables rulesets via a SSH upload, which makes the job quite fast and
> easy.


fwbuilder is good. All most people need is firestarter for local admin.

--
"Unfortunately, once again, the user-unfriendly dirtware sucks so bad it's
hard to prove how bad it sucks."
-- "DFS" in comp.os.linux.advocacy