On Fri, 2004-08-20 at 08:32, Martin Slouf wrote: ... snip ...
> and a (simple) questions once more: > > im using shorewall as my iptables scripts (i found it quite simple to > set up) and im quite satisfied with it. my questions are for shorewall > users. > > 1. when something is set up not correctly, the firewall ends up with > dropping all the packets -- that is not very good for distant management > and this "feature" is forcing me to write my own firewall scripts to > assure that ssh is always available at least. Use the 'routestopped' option in your interfaces file. Then when you 'shorewall restart' with a faulty config you will be able to get back in to fix it. I had this problem and locked myself out of a remote firewall I was updating a couple of times before I found the answer. It is embarrassing to tell someone that you are coming to their site to fix a problem you just created remotely ;-) You will need to check that using this does not create a any security risks, but it seemed ok to me. > i was looking in config and startup files but did not find a simple > solution -- when internally running iptables commands return with > failure, the failure is not returned from shorewall scripts (all is > returned as proper exit code 0) and so you cant react to exit > code of underlaying iptables commands -- any solutions (using debian > stable version 1.2.12). > > 2. the above iptables commands i placed into '/etc/shorewall/common' > file, cause i find no better suitable location for them -- is there a > file for running special user iptables commands? > So for I haven't tried this as I could do everything I needed using the standard config files. > thx. > > > > > aaaa prave pozeram ze ty si cech :) tak zdar :) > > jasne! cau na slovensko! at zije blackhole.sk! > > m. > HTH -- Giles Nunn
