Re: [cobalt-security] Portsentry, ipchains and pmfirewall

[Eugene Crosser <crosser@xxxxxxxxxxx>]

On Tue, 22 Jan 2002 20:38:57 +0100
Michael Stauber <cobalt@xxxxxxxxxxxxxx> wrote:

> > > I want to say is this: You start a script from SSH (or
> > > Telnet) and when you close the connection the script will be
> > > termintated, too. Unless you daemonized it, which requires
> >
> > Don't close the session.
> 
> Oh, I won't and I wouldn't. But if the firewall blocks your SSH session 
> thanks to a screwed up ruleset, then your firewall reset script dies with the 
> session as well and it will simply not fulfill its purpose. We're not talking 
> BSD here, but Cobalt OS. I tried this half a year ago and it didn't work.

This sould have been some other problem.  SSH session does not die
if firewall blocks the packets, at least for 10 minutes or somesuch,
that is TCP keepalive period.  Things *may* (fail to) work the way
you say if you use 'REJECT' target instead of 'DENY', and only if you
are unlucky.

Of course if we are speaking about debugging new rulesets, the more
robust you make your recovery tool the better.  Especially if your
server is in a datacenter on the other side of the Earth ;)  When
you have debugged the ruleset and it is known to work right, I vote
for activating it immediately after reboot, without delays.  Otherwise,
the bad guy who knows that there is an open window after reboot may
try to trick you into rebooting (social engineering, DoS attack, ...)
to use it and get inside.

(Yeah, right.  Paranoia.  That's part of my job :-)

Eugene