[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Portsentry, ipchains and pmfirewall

Subject: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Sun, 20 Jan 2002 00:03:18 +0100
Organization: Stauber Multimedia Design
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Francisco,

> The result, obviously, a locked server.
>
> This has been my first firewall lesson :-(

Oh well ... I could say "I told ya", but I won't. ;o)

> And this makes me believe that, for remote servers, perhaps it would be
> better to implement a general DENY policy by something like:
>
> $IPCHAINS -A input -j DENY -s $REMOTENET -d $LOCALNET

No, I'd rather use a better reset routine instead. Put this at the top of 
your firewall ruleset:

# Function to disable the firewall:
down() {
    echo "Flushing all rulsets -- firewall disabled"
    $IPCHAINS -P input ACCEPT
    $IPCHAINS -P output ACCEPT
    $IPCHAINS -P forward ACCEPT
    $IPCHAINS -F
    exit 1
}

You can then call the routine to stop the firewall with the command "down" 
from anywhere inside your script.

Like in the example below in the 5th line:

# Check for command line options
case "$1" in
    -f|--flush|--stop|stop)
        /sbin/lcd-write "Stopping" "Firewall"
        down
        exit 1
        ;;
    -s|--start|start)
        echo -n "Starting gShield firewall"
        /sbin/lcd-write "Starting" "Firewall"
        ;;
    -r|--restart|restart)
        echo -n "Restarting gShield firewall"
        /sbin/lcd-write "Restarting" "Firewall"
        ;;
    *)
        echo "Usage: start|stop|restart"
        exit 1
        ;;
esac

Without serial console attached to the machine I'd use a different approach 
as a safety precaution. Issue the command "shutdown -r -t 5m" in a second SSH 
session as "root". That will reboot the server in 5 minutes (check the syntax 
... that's just from the top of my head and I could have messed up the 
switches). Use the first SSH console to test if the firewall works. If not 
and if it locks you out, well ... then the machine will reboot in 5 minutes 
and you can try again. If it works just fine and you don't want the reboot to 
occur, then issue CTRL+C in the second console (where you issued the reboot) 
to abort the reboot.

-- 

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer

Follow-Ups:
- Re: [cobalt-security] Portsentry, ipchains and pmfirewall
  - From: Francisco Sánchez

References:
- [cobalt-security] Portsentry, ipchains and pmfirewall
  - From: Francisco Sánchez
- Re: [cobalt-security] Portsentry, ipchains and pmfirewall
  - From: Michael Stauber
- Re: [cobalt-security] Portsentry, ipchains and pmfirewall
  - From: Francisco Sánchez

Prev by Date: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
Next by Date: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
Previous by thread: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
Next by thread: Re: [cobalt-security] Portsentry, ipchains and pmfirewall

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index