[Shorewall-users] Remote Firewall Administration
Wed, 10 Jul 2002 13:56:18 -0700
--On Wednesday, July 10, 2002 15:08:51 -0400 Kenneth Jacker
> During the summer, I /ssh/ to many of our Department's machines.
> What, if any, can I do with /shorewall/ via the /ssh/ connection?
> Of course "read only" type requests (e.g., "shorewall hits",
> "shorewall show log", etc) are not a problem.
> When I tried "service shorewall stop" for some testing, the /ssh/
> connection to/from the firewall just "hung" after displaying the
> following messages:
> Processing /etc/shorewall/shorewall.conf ...
> Processing /etc/shorewall/params
> Stopping Shorewall...
This always reminds me of a person sitting on a tree limb madly sawing that
same limb between himself and the tree's trunk :-)
> I know it is best to be sitting at the firewall machine. But, I'm not
> always physically there.
> So a list of OK/not OK commands would be useful ...
Well, "stop" and "restart" are the poor choices. You know about stop --
restart may fail to start again because of a configuration error in which
case its effect is the same as stop.
A better way to change configurations remotely is to use the "try" command;
it was developed exactly for this purpose:
a) Copy the Shorewall files that you need to change to /etc/shoretest
b) Modify those files
c) "shorewall try /etc/shoretest"
That way, if the changed configuration fails to come up, /sbin/shorewall
will restart the main configuration in /etc/shorewall.
If you are worried that your new configuration may start but may disallow
remote SSH traffic, you can replace c) with:
c) "shorewall try /etc/shoretest 60"
That will start the configuration in /etc/shoretest, wait 60 seconds then
restart the main configuration.
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ firstname.lastname@example.org