[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: port _redirection_ within single machine | SOLUTION

> Use the 'routestopped' option in your interfaces file. Then when you
> 'shorewall restart' with a faulty config you will be able to get back in
> to fix it. I had this problem and locked myself out of a remote firewall
> I was updating a couple of times before I found the answer. It is
> embarrassing to tell someone that you are coming to their site to fix a
> problem you just created remotely ;-) 
> You will need to check that using this does not create a any security
> risks, but it seemed ok to me.

the same for me :)

this option is fine -- i like it

i was just adviced by some other guy that he uses a cron job that resets
his iptables while he edits his firewall every 5 minutes, also
another good and safe (!) solution -- if you write that script only to
enable ssh connection, it is ok.

you are sure to reconnect over ssh in 5 minutes -- safe enough --
but be aware of another shorewall complexities -- it uses several user
defined chains and you should really make sure to reset them all to
allow ssh connection go through -- probably calling st like
/etc/init.d/shorewall stop from that script is not a bad idea at all :)

the only sad thing about it is that it was not my idea :)

> > i was looking in config and startup files but did not find a simple
> > solution -- when internally running iptables commands return with
> > failure, the failure is not returned from shorewall scripts (all is
> > returned as proper exit code 0) and so you cant react to exit
> > code of underlaying iptables commands -- any solutions (using debian
> > stable version 1.2.12).
> > 
> > 2. the above iptables commands i placed into '/etc/shorewall/common'
> > file, cause i find no better suitable location for them -- is there a
> > file for running special user iptables commands?
> > 
> So for I haven't tried this as I could do everything I needed using the
> standard config files.

anyway, thx for answer, the option is helpfull indeed.

now i can see it even in 'interfaces' file, but with description
that tells nothing of its practical use to a new shorewall user (me).


Reply to: