Dear All,
I think this is a bug report (though it might turn out to be a
silly-question). When I log in remotely to a system running shorewall,
and execute shorewall stop, then the firewall closes down completely.
[I do know about ADMINISABSENTMINDED, and the fact that my existing ssh
connection doesn''t die.]
However, at that point, there is no way to establish a new SSH
connection to the system. If I had logged out, and forgotten to restart
shorewall, I''d need to buy a train ticket to sort out the problem!
Adding IP addresses in /etc/shorewall/routestopped doesn''t help,
because
I don''t necessarily know in advance which IP address I am logging in
from.
Is there any way to make routestopped enable
"all traffic on port 22, regardless of source IP" ?
Thanks,
Richard
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Richard Neill wrote:> Is there any way to make routestopped enable > "all traffic on port 22, regardless of source IP" ?No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> Richard Neill wrote: > >> Is there any way to make routestopped enable >> "all traffic on port 22, regardless of source IP" ? > > No. > > -TomDear Tom, Thanks for a very to-the-point answer! At least I know I''m not doing anything daft. So, I now have a bug-report/feature request for the above. Namely, I''d like to make sure that SSH is always accessible, even after having done "shorewall stop". Regards, Richard ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Richard Neill wrote:> Tom Eastep wrote: >> Richard Neill wrote: >> >>> Is there any way to make routestopped enable >>> "all traffic on port 22, regardless of source IP" ? >> No. >> >> -Tom > > Dear Tom, > > Thanks for a very to-the-point answer! At least I know I''m not doing > anything daft. So, I now have a bug-report/feature request for the above. > > Namely, I''d like to make sure that SSH is always accessible, even after > having done "shorewall stop". >Then add the appropriate rule in your /etc/shorewall/stop file. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> Richard Neill wrote: >> Tom Eastep wrote: >>> Richard Neill wrote: >>> >>>> Is there any way to make routestopped enable >>>> "all traffic on port 22, regardless of source IP" ? >>> No. >>> >>> -Tom >> >> Dear Tom, >> >> Thanks for a very to-the-point answer! At least I know I''m not doing >> anything daft. So, I now have a bug-report/feature request for the above. >> >> Namely, I''d like to make sure that SSH is always accessible, even >> after having done "shorewall stop". >> > > Then add the appropriate rule in your /etc/shorewall/stop file.D''oh! I''m very nearly an idiot. I should have known there was a simple answer. That said: * Does /etc/shorewall/stop allow rules to be added in the same format as shorewall/rules, or is it necessary to learn to grok iptables? * There isn''t a man page for shorewall-stop, and it isn''t cross-referenced from man shorewall-routestopped. While I''m writing, I wonder if I might ask another question: Once the firewall has started, what happens if an interface is subsequently reconfigured? Is it possible to configure shorewall to firewall off, say, wlan0, (which isn''t running at the time), and then, once shorewall is running, subsequently bring up wlan0 with a dhcp-assigned address? [I''ll add the answer to my Mandrake howto] Thanks, Richard> -Tom > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-devel mailing list > Shorewall-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-devel------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Richard Neill wrote:> > Tom Eastep wrote: >> Richard Neill wrote: >>> Tom Eastep wrote: >>>> Richard Neill wrote: >>>> >>>>> Is there any way to make routestopped enable >>>>> "all traffic on port 22, regardless of source IP" ? >>>> No. >>>> >>>> -Tom >>> Dear Tom, >>> >>> Thanks for a very to-the-point answer! At least I know I''m not doing >>> anything daft. So, I now have a bug-report/feature request for the above. >>> >>> Namely, I''d like to make sure that SSH is always accessible, even >>> after having done "shorewall stop". >>> >> Then add the appropriate rule in your /etc/shorewall/stop file. > > D''oh! I''m very nearly an idiot. I should have known there was a simple > answer. > > That said: > > * Does /etc/shorewall/stop allow rules to be added in the same format > as shorewall/rules, or is it necessary to learn to grok iptables? > > * There isn''t a man page for shorewall-stop, and it isn''t > cross-referenced from man shorewall-routestopped.The /etc/shorewall/stop file is described at http://www.shorewall.net/shorewall_extension_scripts.htm. It is necessary to use an iptables command: run_iptables -I INPUT 1 -p 6 --dport 22 -j ACCEPT> > > > While I''m writing, I wonder if I might ask another question: > > Once the firewall has started, what happens if an interface is > subsequently reconfigured? Is it possible to configure shorewall to > firewall off, say, wlan0, (which isn''t running at the time), and then, > once shorewall is running, subsequently bring up wlan0 with a > dhcp-assigned address?The ''optional'' interface option allows Shorewall to come up without the interface being present. You will generally need to ''shorewall restart'' after the interface is up and configured. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/