fgadm - filtergen command program
is a simple command interface for managing filtergen
based packet filters.
can be used to stop existing filters (thus turning them off),
reload new packet filters, save currently running filters for longevity, and
to check filter scripts for errors before reloading.
The following commands are accepted by fgadm
- Check the filter script /etc/filtergen/rules.filter
for errors. The generated filter will be printed on standard output, and
errors printed to standard error.
- Replace the current live packet filter with the one in
/etc/filtergen/rules.filter. The script will be tested for errors
- The current live packet filter will be saved in a
distribution-friendly way. On Red Hat systems, this will save the iptables
or ipchains firewall that is currently loaded into the kernel to load at
boot with the iptables or ipchains initscript.
- This command will flush the current live packet filter out
and put it in a default accept mode, thus no firewalling will be in place.
This is useful to abort firewalls in an emergency.
One may find the following sequence of commands useful for making firewall
changes on live servers:
# at now + 2 min
warning: commands will be executed using (in order) a) $SHELL b) login shell c)
at> fgadm stop
job 53 at 2004-06-07 17:25
# fgadm check
# fgadm reload
# atrm 53
# fgadm save
Packet filter descriptions are read from this file when fgadm
This file alters the behaviour of filtergen
as called from fgadm
does not work on Debian systems with iptables due to a lack of
common sense in the iptables package.
was written by Jamie Wilkinson <email@example.com> for the
filtergen package, to ease maintenance of filtergen-based firewalls.