> > Use the 'routestopped' option in your interfaces file. Then when you > 'shorewall restart' with a faulty config you will be able to get back in > to fix it. I had this problem and locked myself out of a remote firewall > I was updating a couple of times before I found the answer. It is > embarrassing to tell someone that you are coming to their site to fix a > problem you just created remotely ;-) > You will need to check that using this does not create a any security > risks, but it seemed ok to me. >
the same for me :) this option is fine -- i like it i was just adviced by some other guy that he uses a cron job that resets his iptables while he edits his firewall every 5 minutes, also another good and safe (!) solution -- if you write that script only to enable ssh connection, it is ok. you are sure to reconnect over ssh in 5 minutes -- safe enough -- but be aware of another shorewall complexities -- it uses several user defined chains and you should really make sure to reset them all to allow ssh connection go through -- probably calling st like /etc/init.d/shorewall stop from that script is not a bad idea at all :) the only sad thing about it is that it was not my idea :) > > i was looking in config and startup files but did not find a simple > > solution -- when internally running iptables commands return with > > failure, the failure is not returned from shorewall scripts (all is > > returned as proper exit code 0) and so you cant react to exit > > code of underlaying iptables commands -- any solutions (using debian > > stable version 1.2.12). > > > > 2. the above iptables commands i placed into '/etc/shorewall/common' > > file, cause i find no better suitable location for them -- is there a > > file for running special user iptables commands? > > > > So for I haven't tried this as I could do everything I needed using the > standard config files. > anyway, thx for answer, the option is helpfull indeed. now i can see it even in 'interfaces' file, but with description that tells nothing of its practical use to a new shorewall user (me). m.
