At the moment I'm using a Python script to generate iptables rules. Each set of changes gets committed to a git repository before deployment so there's a trace of who changed what and why.
What tools/processes do other people use to manage changes to their firewall rules? Is there a guide on best practice for firewall change control that anyone likes?
UPDATE: I guess what I'm asking is for tools/processes around the area. For instance I find testing large firewall scripts quite difficult. Anyone use/written a test script or know of a unit testing type approach that's possible with iptables?
Best Answer
You could use a higher-level software that generates iptables rules, like shorewall. It has a command 'shorewall check' that checks the consistency and errors in your rules.