Preserving Tables File Edits

When you paste the output of the Firewall Rules Generator webpage into "gui-paste" on the Gibraltar system, any changes you may have made manually to the "tables" file on the Gibraltar system will be detected and, if possible, carried forward. Here's how that works.

Using a program called diff3, the "gui-paste" script does a 3-way file compare and merge between:

  1. the new "tables" data you just pasted,
  2. the previous "tables" data you pasted (kept in "tables.gui") and
  3. the current "tables" file on your Gibraltar system.

Your changes will be carried forward automatically if:

  1. the previous "tables" data you pasted is found (in "tables.gui") and
  2. the edits you made manually don't overlap with those made on the webpage (see manually editing firewall rules).
  3. you make the changes on the firewall itself (do not edit and then paste rule generator output).

Otherwise...

If the "tables.gui" file doesn't exist; gui-paste announces that this must be the first time you're running it and warns that it has not merged any changes and that your old "tables" file is now in "tables.old".

If there were overlapping changes, gui-paste will:

Upgrading to Rule Generator Version 2

Because there are significant changes in rule generator output between versions 1 and 2, if you made manual changes to version 1 output, they will probably need to be reworked and re-applied when you switch to rule generator version 2. One way to do this with minimal disruption to a production firewall is:

  1. Run "cd /usr/local/sbin && diff tables.gui tables" on the firewall to see what manual changes you have made.
  2. Upload the "/usr/local/sbin/tables" file into the version 2 rule generator and generate new version 2 rules. Copy the rule generator output to the clipboard as usual.
  3. Run "gui-paste -r" and paste in the new rules BUT interrupt (type Control-C) during the final count-down to prevent the new (unmodified) rules from being executed.
  4. Manually re-apply your changes (suitably modified) to the "/usr/local/sbin/tables" file on the firewall.
  5. Run "gui-paste" (without -r) and paste in the new rules again. Let it finish this time.

Restoring a Firewall From Just a Saved Tables File

Unless you've configured optional services (such as DHCP or VPN or IPSec Tunneling) on your firewall, all the important information about your firewall is recoverable from just the "tables" file so it is a good idea to keep a spare copy of it somewhere.

If you somehow run afoul of the merge process described above or if you need to re-create your firewall from scratch (perhaps for an OS upgrade or because your floppy failed), the following steps will re-create your firewall most efficiently from a saved "tables" file:

  1. If necessary, configure a generic Gibraltar and run "uw-setup" as before
  2. Restore the Firewall Rules Generator webpage by uploading your saved "tables" file and clicking "generate...",
  3. Paste the webpage output into "gui-paste -r",
  4. If there were any manual edits in your saved "tables" file, copy it back to Gibraltar and run it.

    Corey Satten
    Email -- corey @ u.washington.edu
    Web -- http://staff.washington.edu/corey/
    Date -- Mon Jan 28 12:26:19 PST 2008