[Shorewall-devel] "shorewall stop"

Eduardo Ferreira duda at icatu.com.br
Fri Jul 25 16:01:12 PDT 2003


As someone that had already got a cab to put a shorewall up back again, 
I've learned through time to put at least my IP address in the 
routestopped file. 

anyway, there goes my two cents...


shorewall-devel-bounces at lists.shorewall.net wrote on 25/07/2003 13:40:14:

> Although Shorewall provides safeguards against it, people seem to
> regularly shoot themselves in the foot when doing remote system
> administration. I've been thinking about this problem and wonder if a
> change to the way that "shorewall stop" behaves might help.
> 
> Today, "shorewall stop" stops all traffic except to/from those
> destinations listed in /etc/shorewall/routestopped. An alternative
> behavior would be:
> 
> a) Established connections and their related traffic would still be
> enabled. This means that "shorewall stop" wouldn't kill the ssh session
> from which you inadvertently issued the command.On the other hand, all
> other established connections would continue to work as well.

I don't like much this option because, in case of an attack, it would 
still let the intruder in (or am I wrong?). 

> 
> b) All connection attempts FROM the firewall would be allowed. This
> would enable, for example, DNS lookups.

ok for me...

> 
> c) New connections would still be accepted to/from those hosts listed in
> /etc/shorewall/routestopped.
ok, but I would like to be able to tell which ports from which hosts it 
would be allowed. 

And no FORWARD, please. never. A stopped firewall doesn't forward 
anything.

________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606 


More information about the Shorewall-devel mailing list