[Shorewall-users] Remote Firewall Administration

Tom Eastep teastep@shorewall.net
Wed, 10 Jul 2002 13:56:18 -0700

--On Wednesday, July 10, 2002 15:08:51 -0400 Kenneth Jacker 
<khj@cs.appstate.edu> wrote:

> During the summer, I /ssh/ to many of our Department's machines.
> What, if any, can I do with /shorewall/ via the /ssh/ connection?
> Of course "read only" type requests (e.g., "shorewall hits",
> "shorewall show log", etc) are not a problem.
> When I tried "service shorewall stop" for some testing, the /ssh/
> connection to/from the firewall just "hung" after displaying the
> following messages:
> 	Processing /etc/shorewall/shorewall.conf ...
> 	Processing /etc/shorewall/params
> 	Stopping Shorewall...

This always reminds me of a person sitting on a tree limb madly sawing that 
same limb between himself and the tree's trunk :-)

> I know it is best to be sitting at the firewall machine.  But, I'm not
> always physically there.
> So a list of OK/not OK commands would be useful ...

Well, "stop" and "restart" are the poor choices. You know about stop -- 
restart may fail to start again because of a configuration error in which 
case its effect is the same as stop.

A better way to change configurations remotely is to use the "try" command; 
it was developed exactly for this purpose:

a) Copy the Shorewall files that you need to change to /etc/shoretest
b) Modify those files
c) "shorewall try /etc/shoretest"

That way, if the changed configuration fails to come up, /sbin/shorewall 
will restart the main configuration in /etc/shorewall.

If you are worried that your new configuration may start but may disallow 
remote SSH traffic, you can replace c) with:

c) "shorewall try /etc/shoretest 60"

That will start the configuration in /etc/shoretest, wait 60 seconds then 
restart the main configuration.

Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net