[BlueOnyx:26291] Re: Saving APF Blacklist opens firewall
Michael Stauber
mstauber at blueonyx.it
Tue Jun 13 20:52:07 -05 2023
Hi John,
> I'd like to counter if I may.
Sure!
> It is taking a full minute and more to do the complete reload, in which
> time there are many hacking efforts at play.
>
> iptables uses chains. Instead of flushing everything and then building
> and adding one chain at a time:
> 1. Don't flush
> 2. Create a new chain(s) with the new rules
> 3. Insert the new chain(s) before the old chain
> 4. Remove the old chain(s)
> 5. Rename the new chain(s) to be the same as the old chain(s)
In principle this is a good idea, but I'm not sure if I want to go
there. I consider APF a legacy product that will go away in 12 months
and 17 days when CentOS 7 goes EOL. APF has served us very well for
many, many years. No doubt about it. Yet 12 months before its retirement
isn't really the right time to start making fundamental changes to it.
When you look under the hood of APF, you see that the code is quite
complex and the way it is structured doesn't make inserting new chains
and removing *all* previous chains that easy. And I guess that's why the
original coders of APF did go the route of flushing all chains on a
restart. It's doable, but at this point it might not really be worth the
effort compared to the associated risks of releasing a modified APF that
*might* have new flaws that were overlooked in testing. I'd rather not
rock that boat.
And for modern versions of BlueOnyx we already have Firewalld as a more
capable replacement.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list