[Shorewall-users] How to install Shorewall on a remote system...

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On my first day of installing Shorewall on a remote system I locked myself
out, as advertised in the Quick Start Guides:
http://www.shorewall.net/shorewall_quickstart_guide.htm

*Do not attempt to install Shorewall on a remote system. You are virtually
assured to lock yourself out of that system.*

Luckily the hardware reboot procedure unlocked my system and I went back
into installing Shorewall, after taking some precautions.

* Please put this warning in the Beginners Documentation:
http://www.shorewall.net/GettingStarted.html
This is where I started from and I didn't see the warning.  (However, I had
already thought of the possibility of locking myself out, so I took my
chances knowingly).
* Replace the "don't do this" warning with a "how to do it" section.  Many
of us use rented servers that are accessible only remotely and do not come
with a firewall.  What are we to do?  Not use a firewall?

Here is the "how-to" that I followed after my lock-out experience:

*Before installing Shorewall on a remote system, take these precautions.
Otherwise, you are virtually assured to lock yourself out of that system.*

* Make sure that Shorewall is not started automatically at boot (startup=0
in /etc/default/shorewall).  That way, if I misconfigure shorewall, I can
recover with a reboot.
* When experimenting with Shorewall, I setup a root cronjob that reboots
the system at a certain time (usually 10 minutes into the future from when
I want to try the new firewall).  That way, if I lock myself out, I can
just wait a few minutes until the software reboot removes the firewall,
instead of resorting to a hardware reboot.
* I familiarized myself with the shorewall start, stop, clear, try, save,
restore commands.
* Don't try to fix a firewall by installing another firewall.  I think I
locked myself out by trying to reinstall my previous home-made iptables
configuration while Shorewall was in an unsatisfactory "try" state.  My
existing ssh connection froze.  I still don't know why this happened.
* I plan to familiarize myself with my server's rescue proceedures.  I
already learned about the hardware reboot the hard way.
* Setup a firewall early, while the server is not used for much else.  That
will cut down on disruptions.
* Setup backup procedures sooner rather than later.