From: Alex A. <al...@me...> - 2011-12-28 14:05:59
|
On my first day of installing Shorewall on a remote system I locked myself out, as advertised in the Quick Start Guides: http://www.shorewall.net/shorewall_quickstart_guide.htm *Do not attempt to install Shorewall on a remote system. You are virtually assured to lock yourself out of that system.* Luckily the hardware reboot procedure unlocked my system and I went back into installing Shorewall, after taking some precautions. * Please put this warning in the Beginners Documentation: http://www.shorewall.net/GettingStarted.html This is where I started from and I didn't see the warning. (However, I had already thought of the possibility of locking myself out, so I took my chances knowingly). * Replace the "don't do this" warning with a "how to do it" section. Many of us use rented servers that are accessible only remotely and do not come with a firewall. What are we to do? Not use a firewall? Here is the "how-to" that I followed after my lock-out experience: *Before installing Shorewall on a remote system, take these precautions. Otherwise, you are virtually assured to lock yourself out of that system.* * Make sure that Shorewall is not started automatically at boot (startup=0 in /etc/default/shorewall). That way, if I misconfigure shorewall, I can recover with a reboot. * When experimenting with Shorewall, I setup a root cronjob that reboots the system at a certain time (usually 10 minutes into the future from when I want to try the new firewall). That way, if I lock myself out, I can just wait a few minutes until the software reboot removes the firewall, instead of resorting to a hardware reboot. * I familiarized myself with the shorewall start, stop, clear, try, save, restore commands. * Don't try to fix a firewall by installing another firewall. I think I locked myself out by trying to reinstall my previous home-made iptables configuration while Shorewall was in an unsatisfactory "try" state. My existing ssh connection froze. I still don't know why this happened. * I plan to familiarize myself with my server's rescue proceedures. I already learned about the hardware reboot the hard way. * Setup a firewall early, while the server is not used for much else. That will cut down on disruptions. * Setup backup procedures sooner rather than later. |