Alex Athanasopoulos wrote: >Do not attempt to install Shorewall on a remote system. You are >virtually assured to lock yourself out of that system. > >Luckily the hardware reboot procedure unlocked my system and I went >back into installing Shorewall, after taking some precautions.
Yes, there are certain things where there are 2 types of people - those that have done it, and those that haven't ... yet ! Like configuring a router remotely, can be tricky. Out of band access can be exceedingly useful then. In my previous job, I made sure the remote sites had redundant links - partly to give continuity of service, partly to allow better remote diagnostics. Eg rather than "site down - could be link, router, LAN, something else", if I can use the backup link and log into the router remotely then I can pin it down to (eg) the WAN link. >* Make sure that Shorewall is not started automatically at boot >(startup=0 in /etc/default/shorewall). That way, if I misconfigure >shorewall, I can recover with a reboot. >* When experimenting with Shorewall, I setup a root cronjob that >reboots the system at a certain time (usually 10 minutes into the >future from when I want to try the new firewall). That way, if I >lock myself out, I can just wait a few minutes until the software >reboot removes the firewall, instead of resorting to a hardware >reboot. You could also try a short script (run from cron) that will do "shorewall clear", sleep for a few minutes, and then reboot. If shorewall clear does the trick (which it mostly should) then you can get back in and kill the job before it reboots. >* I familiarized myself with the shorewall start, stop, clear, try, >save, restore commands. There are also saqfe-start and safe-restart. These will apply the changes, and then prompt you if you want to keep them. If you reply with no, or don't reply because you've locked yourself out, then it will timeout and revert to the previous running config. >* Setup backup procedures sooner rather than later. Nah, everyone knows that backup procedures are what you think about after you've had an incident. I know that's the best time to sell backup to customers - when they suddenly realise the value of them. Of course, if we are able to rescue their data that isn't backed up, then that's a bonus. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
