On 10/28/2014 5:59 PM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Terence,
On 10/28/14 5:49 PM, Terence M. Bandoian wrote:
On 10/28/2014 8:55 AM, Léa Massiot wrote:
Christopher Schultz-2 wrote
A bit of warning: when modifying iptables, you need to be very
careful that you don't wipe-out any rules that allow you to
gain remote access to the server. For instance, if you have a
default rule to DROP all packets and an exception that allows
port 22 (ssh) traffic, then flushing all the rules in a table
can make it impossible for you to revert the change without
remote-rebooting (or, worse yet, paying someone to walk into
the cage and push the reset button).
Yes right, fortunately I wasn't working on a remote machine.
On Debian Wheezy, the following set of commands actually disables
the firewall:
------------------------------------------------------- iptables
-F iptables -X iptables -t nat -F iptables -t nat -X iptables -t
mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables
-P OUTPUT ACCEPT iptables -P FORWARD ACCEPT
-------------------------------------------------------
Best regards.
Hi, Léa-
Ideally, I think you'd want to permanently modify the iptables
rules to enable traffic over the desired port. Doing so would keep
the existing safety measures in place and all of the rules would
survive a reboot. However, if you just want to temporarily disable
iptables, I believe
service iptables stop
would do so.
Debian Wheezy doesn't use "service", instead it still uses
/etc/init.d. Oddly enough, there is no /etc/init.d/iptables script for
Debian[1]. We deploy on Debian in most environments and have simply
rolled our own iptables script that runs on boot.
Nasty. I like service interface available on Red Hat and CentOS. On
Debian/Ubuntu, it looks like the ufw package might be helpful.
-Terence
Permanently disabling iptables would require a little more work as,
in my experience, it is typically configured to start when the
system is booted.
Yes, and it's not really a good idea for production: you want your
firewall configured properly instead of in "by any means necessary"
mode. Configuring a server in anger usually ends up with an insecure
configuration.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUUB/IAAoJEBzwKT+lPKRYN64P/2JjyqfMDQMSp8OopxpQjF4K
cSOrJ1YbYRkw79gYJpg5XNP5DcAYu8INcYsZ8r685aLHgkCl8a7IWC0gKJQX2TfO
QGy5pN9NvZrO+U+ont+9egEFcHNKqWMy522CTkpIp5tKLazG2iSjEw0kGePBftOp
UETb82wzy1EfiBDArQSzMfLgxVXhB5bPUJmdV2DzEN0m6fuF8oaWmqQNy06+L//V
ESieL0ovf9dRQFde8J4fxDT4b36l/yMjNSHvrKQMsiHfYiq2iqfA1xZUYv+hQtUh
S+Ezs/sIu3CnYqK+5mPX/+ET333DNXLz4IRaFpHlnI0Z2xuPaG5Gf6Dd2SUz5zxD
ag/u552Uo7KAYdp/17bifktpNJgRRgx0O6Zt0mr3+imFwQg6Ve5pMo/F59AepYtB
9awhri3lCw1urNLOrLOTwWZDGij1DtUlAbfcfKZ58kU2Iadb0h5mgos5NjKkljNv
x3a8IDqg8R8dB6A0I0ZjjOJH0xlIvH3hFh1gn9t7Wd5Wd61jtH7cpVGVRVW79JY/
qsjRGqUw6LtF1xYdYVsbfaRQpEbvz5TCBc/TBJXztszC0+f1akQZL3uBByxrlUZL
aukqEmxgTK9/PFaLtb7xM8JryNfwog9ETXmhx1dbKBr58GoOWAMN3OSd7mgKVkXV
J/GmKKtJ+2AKE2aCaVMt
=ZYjC
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
