I''d like to make a request, if some ...ahem ... stupid user can''t spell something like SMTP properly in the rules files, ignore it, report it, and keep going, rather than coming to a complete and total screeching halt, requiring someone to physically go a remote site (30 miles away) to fix and restart the firewall.
On Tue, 2003-07-29 at 13:07, Steve Ferguson wrote:> I''d like to make a request, if some ...ahem ... stupid user can''t spell > something like SMTP properly in the rules files, ignore it, report it, > and keep going, rather than coming to a complete and total screeching > halt, requiring someone to physically go a remote site (30 miles away) > to fix and restart the firewall.Possibly the ... ahem ... stupid user should use the ''try'' command when installing changes so that when these sorts of typing errors are discovered, Shorewall will restart itself using the previous configuration. And the user in question might consider adding the IP address of his system (or at least one system that is within walking distance) to the /etc/shorewall/routestopped file so that when the firewall is stopped, communication from this one computer is still possible. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jul-29 14:33 UTC
[Shorewall-devel] Re: [Shorewall-users] Stupid user messpilings
On Tue, 2003-07-29 at 13:33, Tom Eastep wrote:> On Tue, 2003-07-29 at 13:07, Steve Ferguson wrote: > > I''d like to make a request, if some ...ahem ... stupid user can''t spell > > something like SMTP properly in the rules files, ignore it, report it, > > and keep going, rather than coming to a complete and total screeching > > halt, requiring someone to physically go a remote site (30 miles away) > > to fix and restart the firewall. > > Possibly the ... ahem ... stupid user should use the ''try'' command when > installing changes so that when these sorts of typing errors are > discovered, Shorewall will restart itself using the previous > configuration. > > And the user in question might consider adding the IP address of his > system (or at least one system that is within walking distance) to the > /etc/shorewall/routestopped file so that when the firewall is stopped, > communication from this one computer is still possible. >However, this continues to be a topic that won''t die so I''ve decided on the following: I have added a new setting in shorewall.conf -- the setting name is ADMINISABSENTMINDED and the default value is "No". With ADMINISABSENTMINDED=No, Shorewall works like it always has. With ADMINISABSENTMINDED=Yes, when Shorewall enters the stopped state then in addition to allowing all traffic to/from hosts listed in /etc/shorewall/routestopped, Shorewall also allows: a) all output traffic. b) all traffic that is part of or related to an already-established connection. With ADMINISABSENTMINDED=Yes, "shorewall stop" (or an error during "shorewall [re]start") shuts off most new connections but continues to allow existing connections to work. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Paul Gear
2003-Jul-29 15:29 UTC
[Shorewall-devel] Re: [Shorewall-users] Stupid user messpilings
Tom Eastep wrote:> ... > >However, this continues to be a topic that won''t die so I''ve decided on >the following: >... >With ADMINISABSENTMINDED=Yes, "shorewall stop" (or an error during >"shorewall [re]start") shuts off most new connections but continues to >allow existing connections to work. >WillADMINISABSENTMINDED=Yes be the default, or ADMINISABSENTMINDED=No? Paul
Tom Eastep
2003-Jul-29 15:30 UTC
[Shorewall-devel] Re: [Shorewall-users] Stupid user messpilings
On Wed, 30 Jul 2003 08:28:46 +1000, Paul Gear <paul@gear.dyndns.org> wrote:> Tom Eastep wrote: > >> ... >> >> However, this continues to be a topic that won''t die so I''ve decided on >> the following: >> ... >> With ADMINISABSENTMINDED=Yes, "shorewall stop" (or an error during >> "shorewall [re]start") shuts off most new connections but continues to >> allow existing connections to work. >> > > WillADMINISABSENTMINDED=Yes be the default, or ADMINISABSENTMINDED=No? >ADMINISABSENTMINDED=No -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Paul Gear
2003-Jul-29 16:30 UTC
[Shorewall-devel] Re: [Shorewall-users] Stupid user messpilings
Tom Eastep wrote:> On Wed, 30 Jul 2003 08:28:46 +1000, Paul Gear <paul@gear.dyndns.org> > wrote: > >> Tom Eastep wrote: >> >>> ... >>> >>> However, this continues to be a topic that won''t die so I''ve decided on >>> the following: >>> ... >>> With ADMINISABSENTMINDED=Yes, "shorewall stop" (or an error during >>> "shorewall [re]start") shuts off most new connections but continues to >>> allow existing connections to work. >>> >> >> WillADMINISABSENTMINDED=Yes be the default, or ADMINISABSENTMINDED=No? >> > > ADMINISABSENTMINDED=NoI just wonder whether it will help you that much (in terms of support) if you don''t make it the default - not that i think it should be, mind you. I just am not sure that it''s going to achieve its intended purpose. Paul
Tom Eastep
2003-Jul-29 16:37 UTC
[Shorewall-devel] Re: [Shorewall-users] Stupid user messpilings
On Wed, 30 Jul 2003 09:30:21 +1000, Paul Gear <paul@gear.dyndns.org> wrote:> > I just wonder whether it will help you that much (in terms of support) if > you don''t make it the default - not that i think it should be, mind you. > I just am not sure that it''s going to achieve its intended purpose. >I can make the default for new users Yes and for existing users No; I''ve done that sort of thing before. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net