When you paste the output of the Firewall Rules Generator webpage into
gui-paste" on the Gibraltar system, any changes you may
have made manually to the "tables" file on the Gibraltar system will be
detected and, if possible, carried forward. Here's how that works.
Using a program called
the "gui-paste" script does a 3-way file compare and merge between:
Your changes will be carried forward automatically if:
If the "tables.gui" file doesn't exist; gui-paste announces that this must be the first time you're running it and warns that it has not merged any changes and that your old "tables" file is now in "tables.old".
If there were overlapping changes, gui-paste will:
gui-paste -r" to replace the tables file with data from the webpage (discarding any manual edits).
Because there are significant changes in rule generator output between versions 1 and 2, if you made manual changes to version 1 output, they will probably need to be reworked and re-applied when you switch to rule generator version 2. One way to do this with minimal disruption to a production firewall is:
cd /usr/local/sbin && diff tables.gui tables" on the firewall to see what manual changes you have made.
/usr/local/sbin/tables" file into the version 2 rule generator and generate new version 2 rules. Copy the rule generator output to the clipboard as usual.
gui-paste -r" and paste in the new rules BUT interrupt (type Control-C) during the final count-down to prevent the new (unmodified) rules from being executed.
/usr/local/sbin/tables" file on the firewall.
gui-paste" (without -r) and paste in the new rules again. Let it finish this time.
Unless you've configured optional services (such as DHCP or VPN or IPSec Tunneling) on your firewall, all the important information about your firewall is recoverable from just the "tables" file so it is a good idea to keep a spare copy of it somewhere.
If you somehow run afoul of the merge process described above or if you need to re-create your firewall from scratch (perhaps for an OS upgrade or because your floppy failed), the following steps will re-create your firewall most efficiently from a saved "tables" file:
Email -- corey @ u.washington.edu
Web -- http://staff.washington.edu/corey/
Date -- Mon Jan 28 12:26:19 PST 2008