Re: port _redirection_ within single machine | SOLUTION

To: debian-firewall@lists.debian.org
Subject: Re: port _redirection_ within single machine | SOLUTION
From: Martin Slouf <xslom03@vse.cz>
Date: Fri, 20 Aug 2004 14:18:48 +0200
Message-id: <[🔎] 20040820121848.GC6717@barbucha.martin.net>
In-reply-to: <1092996381.7316.139.camel@(null)>
References: <[🔎] 20040814160420.GA6943@barbucha.martin.net> <20040819223513.B29863@ns.telnet.sk> <[🔎] 20040820073215.GA3926@barbucha.martin.net> <1092996381.7316.139.camel@(null)>

> 
> Use the 'routestopped' option in your interfaces file. Then when you
> 'shorewall restart' with a faulty config you will be able to get back in
> to fix it. I had this problem and locked myself out of a remote firewall
> I was updating a couple of times before I found the answer. It is
> embarrassing to tell someone that you are coming to their site to fix a
> problem you just created remotely ;-) 
> You will need to check that using this does not create a any security
> risks, but it seemed ok to me.
> 

the same for me :)

this option is fine -- i like it

i was just adviced by some other guy that he uses a cron job that resets
his iptables while he edits his firewall every 5 minutes, also
another good and safe (!) solution -- if you write that script only to
enable ssh connection, it is ok.

you are sure to reconnect over ssh in 5 minutes -- safe enough --
but be aware of another shorewall complexities -- it uses several user
defined chains and you should really make sure to reset them all to
allow ssh connection go through -- probably calling st like
/etc/init.d/shorewall stop from that script is not a bad idea at all :)

the only sad thing about it is that it was not my idea :)

> > i was looking in config and startup files but did not find a simple
> > solution -- when internally running iptables commands return with
> > failure, the failure is not returned from shorewall scripts (all is
> > returned as proper exit code 0) and so you cant react to exit
> > code of underlaying iptables commands -- any solutions (using debian
> > stable version 1.2.12).
> > 
> > 2. the above iptables commands i placed into '/etc/shorewall/common'
> > file, cause i find no better suitable location for them -- is there a
> > file for running special user iptables commands?
> > 
> 
> So for I haven't tried this as I could do everything I needed using the
> standard config files.
>

anyway, thx for answer, the option is helpfull indeed.

now i can see it even in 'interfaces' file, but with description
that tells nothing of its practical use to a new shorewall user (me).

m.

Reply to:

Follow-Ups:
- Re: port _redirection_ within single machine | SOLUTION
  - From: Mike Mestnik <cheako911@yahoo.com>

References:
- port _redirection_ within single machine
  - From: Martin Slouf <xslom03@vse.cz>
- Re: port _redirection_ within single machine | SOLUTION
  - From: Martin Slouf <xslom03@vse.cz>
- Re: port _redirection_ within single machine | SOLUTION
  - From: Giles Nunn <giles@satproj.org.uk>

Prev by Date: Re: port _redirection_ within single machine | SOLUTION
Next by Date: Re: port _redirection_ within single machine | SOLUTION
Previous by thread: Re: port _redirection_ within single machine | SOLUTION
Next by thread: Re: port _redirection_ within single machine | SOLUTION
Index(es):
- Date
- Thread