[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: hardening checkpoints



Am Donnerstag, 15. Dezember 2005 14:26 schrieb Dale Amon:
> On Thu, Dec 15, 2005 at 12:27:01PM +0000, kevin bailey wrote:
> > 2. firewall
> > not i'm not sure about the need for a firewall - i may need to access the
> > server over ssh from anywhere.  also, to run FTP doesn't the server need
> > to be able to open up a varying number of ports.
>
> There is a way around this. If you are really worried
> about a mistake, use 'at' to turn the firewall off after
> 5 minutes. That way you can set up your test and if
> you screwed up you only have to wait a few min before
> it goes away. If it worked, you just kill the queued
> at command line.

If you use shorewall to setup iptables, you may also just create a copy of 
the /etc/shorewall directory to e.g. /etc/shorewall.test, change the rules in 
shorewall.test first and test them from there with 

  shorewall try /etc/shorewall.test 120

After the specified timeout (in seconds) shorewall reverts back to the default 
ruleset from /etc/shorewall. So if you made a mistake, your host will be 
accessible again after the timeout (with the default firewall ruleset 
running); if everything is fine, you can just press Ctrl-C to abort reverting 
to the default ruleset. Of course, afterwards update /etc/shorewall to 
incorporate your tested changes.

Regards, Klaus

-- 
Dipl.-Ing. Klaus Holler <kho@gmx.at>

Attachment: pgplK5bNRRquk.pgp
Description: PGP signature


Reply to: