The word compilation here means the generation of the two ipfilter configuration files, ipf.conf and ipnat.conf, from the isba ruleset and objects. Before the final compilation and installation of your ruleset to target host(s), you have various ways of checking the ipfilter rules that will be generated, with a granularity as low as a single isba rule. You can preview the compilation output for your ipf or nat ruleset to check it yourself, or make isba check it. In the latter case, isba will also make ipf and ipnat check the generated ipf.conf and ipnat.conf files. These you can then save local to files on the mgt machine (and install them yourself on the target host) or let isba upload them on target host, and possibly install them in the kernel. At this point, you have the option of setting a timer-controlled automatic ruleset rollback in the event that everything is not ok and that you can't reach your target anymore. Finally you have a means of debugging your ruleset with isba's ipfilter log viewer, vlog.

For example suppose your ruleset targets are foo and bar. You select 'Compile>Compile to files ...', you choose to 'Compile for all targets', and the filenames you give for the ipf.conf and the ipnat.conf are /home/ipf/TARGET.ipf and /home/ipf/TARGET.nat: then isba will generate the files /home/ipf/foo.ipf, /home/ipf/foo.nat, /home/ipf/bar.ipf and /home/ipf/bar.nat.

For example (I forgot to check the nickel checkbox ...):

Your ruleset is ready for installation on an ipfilter host: select 'Compile>Compile and install'. If it has several targets, choose which one(s) you want to install on. Isba will upload the ipf.conf and ipnat.conf files to your targets.

Check the "reload rules" button if you also want isba to reload rules in the targets' kernels.

This program will wait for N seconds (you specify N in the popup above), and then revert to the previous ruleset. More specifically, it will replace the ipf.conf and ipnat.conf files with the previous ones (ipf.prev and ipnat.prev) and reload rules in the kernel.

Thus, if your new ruleset behaves badly and if you can't reach your target anymore because of this, you will be able to take control again after N seconds.

On the other hand, if you can still reach your target (on port SSH), and if your new ruleset is OK, you can cancel the automatic ruleset rollback (before the N seconds !) by selecting "Target>Cancel auto rollback>[target-name]".

Once you ruleset is installed you can view the ipfilter logfile in real time with the "Target>Show Ipf log>[target-name]" menu entry. This opens an xterm and launches vlog on target through SSH.

If you have set up ipfilter logging correctly on this target (ipmon -s or -Ds running, /etc/syslog.conf redirecting ipfilter loglines to /var/log/ipflog), you will see the ipfilter log lines coming in the vlog window in real time.

In the vlog window you will notice that some fields are missing. Actually they simply are not displayed, to save some screen space. You control which fields are, and which fields are not displayed by hitting the 'o' key.