[Shorewall-devel] "shorewall stop"

Simon Matter simon.matter at ch.sauter-bc.com
Fri Jul 25 19:53:08 PDT 2003


> Although Shorewall provides safeguards against it, people seem to
> regularly shoot themselves in the foot when doing remote system
> administration. I've been thinking about this problem and wonder if a
> change to the way that "shorewall stop" behaves might help.
>
> Today, "shorewall stop" stops all traffic except to/from those
> destinations listed in /etc/shorewall/routestopped. An alternative
> behavior would be:
>
> a) Established connections and their related traffic would still be
> enabled. This means that "shorewall stop" wouldn't kill the ssh session
> from which you inadvertently issued the command.On the other hand, all
> other established connections would continue to work as well.

I'm not sure I like this.

>
> b) All connection attempts FROM the firewall would be allowed. This
> would enable, for example, DNS lookups.

Seems not bad to me.

>
> c) New connections would still be accepted to/from those hosts listed in
> /etc/shorewall/routestopped.

Why not add additional parameters to /etc/shorewall/routestopped so you
can also define protocols and ports for which you want to allow new
connections. Maybe many people would like to add a internet interface
restricted to tcp/22 to make at least ssh possible.

Simon

>
> Comments?
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep at shorewall.net
>
> _______________________________________________
> Shorewall-devel mailing list
> Shorewall-devel at lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-devel
>



More information about the Shorewall-devel mailing list