[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Portsentry, ipchains and pmfirewall
- Subject: Re: [cobalt-security] Portsentry, ipchains and pmfirewall
- From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
- Date: Tue, 22 Jan 2002 18:55:22 +0000 (GMT)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> Date: Tue, 22 Jan 2002 19:24:04 +0100
> From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
> > Problem: That leaves you open for five minutes after a reboot.
>
> How often do you reboot? If it's more than once per month then
> it's too often.
When I perform a hardware or kernel upgrade, or (on a BSD machine
with high securelevel) when I need to overwrite immutable files.
Anywhere from every three months to once every a year and a half.
> > What I suggest is writing a quick shell script that flushes the
> > firewall rules, loads the new rules, then sleeps for a minute or
> > two. If not killed, it then flushes the ipchains and reloads
> > your old ruleset.
>
> I might be wrong here, but scripts are bound to the user
> session, right? That's most likely an incorrect term and what
> I want to say is this: You start a script from SSH (or
> Telnet) and when you close the connection the script will be
> termintated, too. Unless you daemonized it, which requires
Don't close the session.
> more than pushing it into the background with an "&". So if
> improper firewall rules interfere with your shell session, then
> you're still as much screwed with your proposed script as you
> are without.
#!/bin/sh
flush_fw_rules
load_new_rules
sleep 60
flush_fw_rules
load_old_rules
If the new rules are bad, the script will run its course and
reload the old rules. If the script is good (one can test over
serial console or via second SSH login), kill it while it's
sleeping. You're now running with new rules.
This prevents 1) the need to reboot and 2) running wide open for
several minutes upon bootup.
FWIW, when I _know_ that a new ruleset will work, I just
/path/to/load/rules 1> /dev/null 2> /dev/null &
You don't want I/O to kill your session if you're default deny
(recommended) and your SSH allow rule isn't yet in place.
> > Portmaster 2's are cheap nowadays. Buy one and give yourself
> > serial console access to all your boxen.
>
> Unfortunately too many ISPs charge you extra for setting them
> up in their datacenter. But personally I think that these
> devices (not neccessarily from that manufacturer) are an
> investment well worth it.
Yes. Multiport serial cards are also handy... even more so when
running stateful rules whose state is erased when reloading
rules.
Eddy
---------------------------------------------------------------------------
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
---------------------------------------------------------------------------
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots. Do NOT
send mail to <blacklist@xxxxxxxxx>, or you are likely to be blocked.