[Shorewall-devel] "shorewall stop"
simon.matter at ch.sauter-bc.com
Fri Jul 25 19:53:08 PDT 2003
> Although Shorewall provides safeguards against it, people seem to
> regularly shoot themselves in the foot when doing remote system
> administration. I've been thinking about this problem and wonder if a
> change to the way that "shorewall stop" behaves might help.
> Today, "shorewall stop" stops all traffic except to/from those
> destinations listed in /etc/shorewall/routestopped. An alternative
> behavior would be:
> a) Established connections and their related traffic would still be
> enabled. This means that "shorewall stop" wouldn't kill the ssh session
> from which you inadvertently issued the command.On the other hand, all
> other established connections would continue to work as well.
I'm not sure I like this.
> b) All connection attempts FROM the firewall would be allowed. This
> would enable, for example, DNS lookups.
Seems not bad to me.
> c) New connections would still be accepted to/from those hosts listed in
Why not add additional parameters to /etc/shorewall/routestopped so you
can also define protocols and ports for which you want to allow new
connections. Maybe many people would like to add a internet interface
restricted to tcp/22 to make at least ssh possible.
> Tom Eastep \ Shorewall - iptables made easy
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep at shorewall.net
> Shorewall-devel mailing list
> Shorewall-devel at lists.shorewall.net
More information about the Shorewall-devel