Re: firewall newbie questions

[Juerg Schneider <juerg@jusch.ch>]

On Saturday 10 April 2004 17.52, Jonas Meurer wrote:
> On 10/04/2004 Juerg Schneider wrote:
> > This is the right way. Close all, log all, open wat you need.
>
> yea, I absolutely agree, but that's not the way I'm able to start
> on a remotely controlled machine kilometers away, since I _need_
> some essential services to log all and reopen what I need.
> So my question was, whether installing firehol will cause rejecting
> ssh connections from outside or whether it will not.

Sure it will close ssh per default. Ssh is only a service, if you 
didn't open it, it has to be close. Acording to the homepage a 

interface ppp+ internet
                server ssh  accept src <your ip>

in the config file should be sufficient. In any case, you should play 
with the script on your own box.

> Thinking about this, it would be terrible if any script in debian
> would do that per default, 

No. All scripts will do so (hopefully). The advantage of a widely used 
script as firehol is that it's easy to configure. If I make a mistake 
in my hand written script, the script will crash and the rule not 
loaded. Since I had close all doors at my firewall once, I've a 
failsave at the end of my script:

# Failsave ----------------------------------------------------------
echo "Are the rules ok? If yes type 'ok'"
read -t10 answer
if [ $answer == "ok" ]; then
	echo "should be: $answer"
else
	echo "but is: $answer"
	. /root/fw_failsave
fi

to open ssh again. But the firehol seems so easy to configure, you 
can't make mistakes like this. Try it on your own box.

> but it's better to ask before instead of 
> calling the computer center afterwards to restore what the install
> broke.

OK.

ciao

Jürg