Re: Firewall per remote-zugriff deaktivieren
On Tue, 28 Nov 2006, Ulf Volmer wrote:
> > [... firewall remote aktiviert ...]
> Das ist der Grund, warum man besser
> firewall start ; sleep 10 ; firewall stop
> benutzt.
Die Shorewall kennt hierbei eine lustige Option in der
/etc/shorewall/shorewall.conf:
#
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
#
# Normally, when a "shorewall stop" command is issued or an error occurs during
# the execution of another shorewall command, Shorewall puts the firewall into
# a state where only traffic to/from the hosts listed in
# /etc/shorewall/routestopped is accepted.
#
# When performing remote administration on a Shorewall firewall, it is
# therefore recommended that the IP address of the computer being used for
# administration be added to the firewall's /etc/shorewall/routestopped file.
#
# Some administrators have a hard time remembering to do this with the result
# that they get to drive across town in the middle of the night to restart
# a remote firewall (or worse, they have to get someone out of bed to drive
# across town to restart a very remote firewall).
#
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
# when the firewall enters the 'stopped' state:
#
# All traffic that is part of or related to established connections is still
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
# to and from hosts listed in /etc/shorewall/routestopped.
#
# If this variable is not set or it is set to the null value then
# ADMINISABSENTMINDED=No is assumed.
#
ADMINISABSENTMINDED=Yes
und mir persönlich gefällt die Aufteilung der Interfaces nach Zonen
sowie den Default-Policies nach Zonen recht gut.
Ist halt eben nix zum Klicken. ;-)
> > Ne backdoor sozusagen die immer geht, wenn man denn root-rechte hat oder
> > sowas...
> Ich bitte um Mitteilung, wenn du sowas findest.
Done!
t++
Reply to: