[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Portsentry, ipchains and pmfirewall
- Subject: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Sun, 20 Jan 2002 00:03:18 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Francisco,
> The result, obviously, a locked server.
>
> This has been my first firewall lesson :-(
Oh well ... I could say "I told ya", but I won't. ;o)
> And this makes me believe that, for remote servers, perhaps it would be
> better to implement a general DENY policy by something like:
>
> $IPCHAINS -A input -j DENY -s $REMOTENET -d $LOCALNET
No, I'd rather use a better reset routine instead. Put this at the top of
your firewall ruleset:
# Function to disable the firewall:
down() {
echo "Flushing all rulsets -- firewall disabled"
$IPCHAINS -P input ACCEPT
$IPCHAINS -P output ACCEPT
$IPCHAINS -P forward ACCEPT
$IPCHAINS -F
exit 1
}
You can then call the routine to stop the firewall with the command "down"
from anywhere inside your script.
Like in the example below in the 5th line:
# Check for command line options
case "$1" in
-f|--flush|--stop|stop)
/sbin/lcd-write "Stopping" "Firewall"
down
exit 1
;;
-s|--start|start)
echo -n "Starting gShield firewall"
/sbin/lcd-write "Starting" "Firewall"
;;
-r|--restart|restart)
echo -n "Restarting gShield firewall"
/sbin/lcd-write "Restarting" "Firewall"
;;
*)
echo "Usage: start|stop|restart"
exit 1
;;
esac
Without serial console attached to the machine I'd use a different approach
as a safety precaution. Issue the command "shutdown -r -t 5m" in a second SSH
session as "root". That will reboot the server in 5 minutes (check the syntax
... that's just from the top of my head and I could have messed up the
switches). Use the first SSH console to test if the firewall works. If not
and if it locks you out, well ... then the machine will reboot in 5 minutes
and you can try again. If it works just fine and you don't want the reboot to
occur, then issue CTRL+C in the second console (where you issued the reboot)
to abort the reboot.
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer