[Shorewall-devel] "shorewall stop"
duda at icatu.com.br
Fri Jul 25 16:01:12 PDT 2003
As someone that had already got a cab to put a shorewall up back again,
I've learned through time to put at least my IP address in the
anyway, there goes my two cents...
shorewall-devel-bounces at lists.shorewall.net wrote on 25/07/2003 13:40:14:
> Although Shorewall provides safeguards against it, people seem to
> regularly shoot themselves in the foot when doing remote system
> administration. I've been thinking about this problem and wonder if a
> change to the way that "shorewall stop" behaves might help.
> Today, "shorewall stop" stops all traffic except to/from those
> destinations listed in /etc/shorewall/routestopped. An alternative
> behavior would be:
> a) Established connections and their related traffic would still be
> enabled. This means that "shorewall stop" wouldn't kill the ssh session
> from which you inadvertently issued the command.On the other hand, all
> other established connections would continue to work as well.
I don't like much this option because, in case of an attack, it would
still let the intruder in (or am I wrong?).
> b) All connection attempts FROM the firewall would be allowed. This
> would enable, for example, DNS lookups.
ok for me...
> c) New connections would still be accepted to/from those hosts listed in
ok, but I would like to be able to tell which ports from which hosts it
would be allowed.
And no FORWARD, please. never. A stopped firewall doesn't forward
Icatu Holding S.A.
Supervisor de TI
More information about the Shorewall-devel