The packet filter configuration must be activated on every startup of the firewall or the managed host therefore the configuration is stored in configuration files on the machine. ZMS uses the iptables-utils package to handle the packet filter configuration. This package is responsible for loading the ruleset upon startup and making the administration easier by using variables. It also prevents accidental lock-out from the box by a misconfiguration. This package is a self-sufficient program and can be used separately from ZMS.
For managing the configuration, the iptables-utils uses four configuration files.
Iptables.conf.varThis file stores the variables which can be used in the policy. These variables are not the same as ZMS variables and not involved in ZMS-based configuration.
Iptables.conf.inThis file stores the policy itself with unresolved variables.
Iptables.conf.newThis file stores the generated configuration from the
iptables.conf.inandiptables.con.varfiles meaning that the variables are resolved here.Iptables.confThis file stores the actual configuration. The startup policy is loaded from this file.
Three small utilities are used to manage these files and all of them form part of the iptables-utils package. To generate the iptables.conf.new file iptables-gen util is used. To test the new configuration and to prevent lock-outs iptables-test is needed, which loads the policy from iptables.conf.new, lets it run for 10 seconds and then reloads the old configuration, which is assumed to be functional, from the iptables.conf file. If the configuration is working the new configuration can be made effective with the iptables-commit util, which loads the new configuration and replaces the iptables.conf file.
To control the packet filter system the /etc/init.d/iptables-utils is used. It is the init-script which also loads the configuration policy upon start-up. When starting the utils, it only loads the policy stored in the iptables.conf file. During restart, it generates a new configuration with iptables-gen and attempts to load it. In case any error occurs, it reverts back to the old configuration stored in the iptables.conf file. If it succeeds, it replaces the iptables.conf with the iptables.conf.new. For further information on the iptables-utils, see the manual page of the utility.
During the ZMS configuration, the iptables-utils creates the iptables.conf.in and the iptables.conf.new files on the managed hosts. Although by default there are no variables used with ZMS, it is possible to use them. To successfully deploy the new configuration, restart the component in order to regenerate the modified and uploaded configuration.
| Warning |
|---|
|
Without restarting the component, the new configuration is not generated and the modifications are ineffective. If iptables rules are manually reloded (that is, using the /etc/init.d/iptables-utils reload command, or the Packet Filter ZMC component), make sure to reload Zorp as well. Otherwise, the packet filtering services (PFServices) will not function. |
Published on May 30, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu
