begin quoting Gregory K. Ruiz-Ade as of Tue, Aug 08, 2006 at 02:10:50PM -0700: > So, I've been following this thread, and all I can think of as I've > seen it evolve is "this is the sure-fire path to completely locking > yourself out of your machine." > > Remote firewall maintenance, unless you're ABSOLUTELY, POSITIVELY > sure about what you're doing, is risky. Once you lock yourself out, > you're screwed.
Heh. Yup. Thus, you want another way in (for awhile, I had a machine behind one firewall that had a serial cable connection to the other firewall, so that if the second got trashed, I could still get through on the other) or a timer. Or be Really Really careful, and be prepared to drive/fly/walk/crawl to the remote machine if you screw it up. [snip] > Which, to me, means you REALLY don't need to muck about with flushing/ > reloading your iptables firewall rules _daily_ to account for changes > in this file. Heck, looks like once every six months would be more > than frequent enough. Once it's scripted, why not once a month, week, day... > Hoever, if you're going to be designing a firewall and you're going > to want to have sets of rules that you want to change with any sort > of frequency or automation, you need to carefully design the firewall > with those rules in a separate chain that won't cause the firewall to > spank itself should that chain be flushed. (Sorry for the run- > on...) There is no canned approach to this, so crack open your shell > scripting toolbox and have at it. There's probably the REAL solution. :) -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
