During the summer, I /ssh/ to many of our Department''s machines. What, if any, can I do with /shorewall/ via the /ssh/ connection? Of course "read only" type requests (e.g., "shorewall hits", "shorewall show log", etc) are not a problem. When I tried "service shorewall stop" for some testing, the /ssh/ connection to/from the firewall just "hung" after displaying the following messages: Processing /etc/shorewall/shorewall.conf ... Processing /etc/shorewall/params Stopping Shorewall... I know it is best to be sitting at the firewall machine. But, I''m not always physically there. So a list of OK/not OK commands would be useful ... Thanks, -Kenneth
SHOREWALL TimeLord
2002-Jul-10 19:23 UTC
[Shorewall-users] Remote Firewall Administrat ion
Kenneth Jacker (10.7.2002 21:08):>During the summer, I /ssh/ to many of our Department''s machines. > >What, if any, can I=20do with /shorewall/ via the /ssh/ connection=3F >Of course "read only" type requests (e.g., "shorewall hits", >"shorewall show log", etc) are not a problem. > >When I tried "service shorewall stop" for some testing, the /ssh/ >connection to/from the firewall just "hung" after displaying the >following messages: > > Processing /etc/shorewall/shorewall.conf ... > Processing /etc/shorewall/params > Stopping Shorewall... > >I know it is best to be sitting at the firewall machine. But, I''m not >always physically there. > >So a list of OK/not OK commands would be useful ...check Documentation: http://slovakia.shorewall.net/Documentation.htm#Interfaces OPTIONS routestopped - When the firewall is stopped, traffic to and from this interface will be accepted and routing will occur between this interface and other routestopped interfaces. this is my /etc/shorewall/interfaces on my remote host and if I remotely stop shorewall my SSH is still connected.. #ZONE INTERFACE BROADCAST =20 OPTIONS net eth0 detect routestopped, blacklist,norfc1918 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE TimeLord
SHOREWALL TimeLord
2002-Jul-10 19:43 UTC
Re(2):[Shorewall-users] Remote Firewall Administ rat ion
John Andersen (10.7.2002 21:47):>On 10 Jul 2002 at 21:23, SHOREWALL TimeLord wrote: > > > check Documentation: >> http://slovakia.shorewall.net/Documentation.htm#Interfaces >> OPTIONS >> routestopped - When the firewall is stopped, traffic to and=20from thisinterface>> will be accepted and routing will occur between this interface and other >> routestopped interfaces. >> >> this is my /etc/shorewall/interfaces on my remote host and if I remotely stop >> shorewall my >> SSH is still connected.. >> >> #ZONE INTERFACE BROADCAST OPTIONS >> net eth0 detect routestopped, >> blacklist,norfc1918 >> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > >Yes, but isn''t this sort of dangerous=3F >If shorewall goes down you might be none the wiser, but you would be >unprotected.Hehe .. sure .. if your services are configured like Windows :o) If U think that firewall can protect you from every attack then "let the Power be=20with U" ;o) My services are configured in such way that if shorewall is down all my services can work fine without any big security problems for some time.. But U can use your own iptables script and start it when shorewall is down and allow only=20your IP to connect to that host.. TimeLord>=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F >John Andersen >NORCOM / Juneau,=20Alaska >http://www.screenio.com/ >(907) 790-3386
--On Wednesday, July 10, 2002 15:08:51 -0400 Kenneth Jacker <khj@cs.appstate.edu> wrote:> During the summer, I /ssh/ to many of our Department''s machines. > > What, if any, can I do with /shorewall/ via the /ssh/ connection? > Of course "read only" type requests (e.g., "shorewall hits", > "shorewall show log", etc) are not a problem. > > When I tried "service shorewall stop" for some testing, the /ssh/ > connection to/from the firewall just "hung" after displaying the > following messages: > > Processing /etc/shorewall/shorewall.conf ... > Processing /etc/shorewall/params > Stopping Shorewall...This always reminds me of a person sitting on a tree limb madly sawing that same limb between himself and the tree''s trunk :-)> > I know it is best to be sitting at the firewall machine. But, I''m not > always physically there. > > So a list of OK/not OK commands would be useful ... >Well, "stop" and "restart" are the poor choices. You know about stop -- restart may fail to start again because of a configuration error in which case its effect is the same as stop. A better way to change configurations remotely is to use the "try" command; it was developed exactly for this purpose: a) Copy the Shorewall files that you need to change to /etc/shoretest b) Modify those files c) "shorewall try /etc/shoretest" That way, if the changed configuration fails to come up, /sbin/shorewall will restart the main configuration in /etc/shorewall. If you are worried that your new configuration may start but may disallow remote SSH traffic, you can replace c) with: c) "shorewall try /etc/shoretest 60" That will start the configuration in /etc/shoretest, wait 60 seconds then restart the main configuration. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
RettConsBulkMail
2002-Jul-10 22:12 UTC
[Shorewall-users] Remote Firewall Administration (Feedback please?)
Hello, When you stop the firewall remotely, by default it will shut down the ssh connection. In the /etc/shorewall/interfaces, you can specify an option, routestopped. By default, when shorewall stops, it disables routing through all interfaces. If you add the routestopped option to the interfaces file for the interface you are ssh''ing into, I believe this will let the firewall continue to route traffic, ie your ssh connection, when there are no firewalling rules enabled. Of course this depends on whether or not you are using shorewall for NATting or Proxyarping, ie, any routes that shorewall defines dynamicaly when it starts will be lost for these services. (maybe shorewall will keep the proxy arp routes when it is shut down?) But if the routestopped (meaning allow routing while the firewall is stopped) option is added to the interface(s) and a default route exists, your traffic (ssh) will continue. This is my understanding of the routestopped option, though I have not verified this assumption. Also, I probably do not know enough about how shorewall creates and keeps routes when shut down to be very accurate here. So I guess this reply is more of a question, though i think i am close... Hope this helps, Alex at rettconsulting.com -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net]On Behalf Of Kenneth Jacker Sent: Wednesday, July 10, 2002 12:09 PM To: Shorewall Users Subject: [Shorewall-users] Remote Firewall Administration During the summer, I /ssh/ to many of our Department''s machines. What, if any, can I do with /shorewall/ via the /ssh/ connection? Of course "read only" type requests (e.g., "shorewall hits", "shorewall show log", etc) are not a problem. When I tried "service shorewall stop" for some testing, the /ssh/ connection to/from the firewall just "hung" after displaying the following messages: Processing /etc/shorewall/shorewall.conf ... Processing /etc/shorewall/params Stopping Shorewall... I know it is best to be sitting at the firewall machine. But, I''m not always physically there. So a list of OK/not OK commands would be useful ... Thanks, -Kenneth _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
Tom Eastep
2002-Jul-10 22:27 UTC
[Shorewall-users] Remote Firewall Administration (Feedback please?)
--On Wednesday, July 10, 2002 15:12:38 -0700 RettConsBulkMail <rcbulkmail@cuscominc.com> wrote:> Hello, > > When you stop the firewall remotely, by default it will shut down the ssh > connection.More correctly, it will drop packets associated with that connection.> > In the /etc/shorewall/interfaces, you can specify an option, routestopped. > > By default, when shorewall stops, it disables routing through all > interfaces. > > If you add the routestopped option to the interfaces file for the > interface you are ssh''ing into, I believe this will let the firewall > continue to route traffic, ie your ssh connection, when there are no > firewalling rules enabled. > > Of course this depends on whether or not you are using shorewall for > NATting or Proxyarping, ie, any routes that shorewall defines dynamicaly > when it starts will be lost for these services. > > (maybe shorewall will keep the proxy arp routes when it is shut down?)When stopping, Shorewall deletes any routes added as a result of entries in /etc/shorewall/proxyarp where the "HAVEROUTE" column is empty or "No".> > But if the routestopped (meaning allow routing while the firewall is > stopped) option is added to the interface(s) and a default route exists, > your traffic (ssh) will continue. > > This is my understanding of the routestopped option, though I have not > verified this assumption. > Also, I probably do not know enough about how shorewall creates and keeps > routes when shut down to be very accurate here.All routes other than the proxy ARP routes described above remain intact.> > So I guess this reply is more of a question, though i think i am close... >Your understanding is correct (modulo the questions). I personally don''t like the notion of ''routestopped'' on my external interface; when the firewall is stopped, my firewall is essentially wide open then. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net