On my first day of installing Shorewall on a remote system I locked myself
out, as advertised in the Quick Start Guides:
http://www.shorewall.net/shorewall_quickstart_guide.htm
*Do not attempt to install Shorewall on a remote system. You are virtually
assured to lock yourself out of that system.*
Luckily the hardware reboot procedure unlocked my system and I went back
into installing Shorewall, after taking some precautions.
* Please put this warning in the Beginners Documentation:
http://www.shorewall.net/GettingStarted.html
This is where I started from and I didn't see the warning. (However, I had
already thought of the possibility of locking myself out, so I took my
chances knowingly).
* Replace the "don't do this" warning with a "how to do it" section. Many
of us use rented servers that are accessible only remotely and do not come
with a firewall. What are we to do? Not use a firewall?
Here is the "how-to" that I followed after my lock-out experience:
*Before installing Shorewall on a remote system, take these precautions.
Otherwise, you are virtually assured to lock yourself out of that system.*
* Make sure that Shorewall is not started automatically at boot (startup=0
in /etc/default/shorewall). That way, if I misconfigure shorewall, I can
recover with a reboot.
* When experimenting with Shorewall, I setup a root cronjob that reboots
the system at a certain time (usually 10 minutes into the future from when
I want to try the new firewall). That way, if I lock myself out, I can
just wait a few minutes until the software reboot removes the firewall,
instead of resorting to a hardware reboot.
* I familiarized myself with the shorewall start, stop, clear, try, save,
restore commands.
* Don't try to fix a firewall by installing another firewall. I think I
locked myself out by trying to reinstall my previous home-made iptables
configuration while Shorewall was in an unsatisfactory "try" state. My
existing ssh connection froze. I still don't know why this happened.
* I plan to familiarize myself with my server's rescue proceedures. I
already learned about the hardware reboot the hard way.
* Setup a firewall early, while the server is not used for much else. That
will cut down on disruptions.
* Setup backup procedures sooner rather than later.
------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
