Web lists-archives.com

Mixing firewall tools




Hi all,

I have a machine with a hand-rolled firewall script, which just runs
iptables commands - all well and good.

The trickiest bits are for my LXC containers; I need to forward ports
etc - but that's ok.

The complications start when I add fail2ban - now I have an extra bit in
my init script that reloads fail2ban after reloading my script, because
my script does a flush of all existing rules. This is now getting ugly,
but it still worked.

Does anyone have better ideas for that stage? Do any of the many
firewall tools cope with this adequately?

I do have a hitch on this machine (but not on another similar one) in
that it hangs on boot ... I'm not sure why, except I suspect running an
init script on a systemd system may be a contributing factor - except
that my other firewall was also upgraded to jessie+systemd, and it
works. I haven't figured that one out yet.

Now the biggie: I want to add Docker. Docker wants to do its own thing
with iptables. Do I need to resort to just telling Docker to keep its
hands off, and do everything myself?

Are there any good tools out there that allow for integration of
multiple firewall systems, and produce reasonably straightforward rule sets?

Any other tips - ie answers to questions I didn't think of asking? :-)

Thanks,
Richard

Attachment: signature.asc
Description: OpenPGP digital signature