[CLUG] Web-based iptables administration
adam beecher
lists at beecher.net
Wed Feb 9 23:15:18 GMT 2005
> A nicer way (as in less to code:) to do below would be to
> always require a trusted host IP address, so that even if
> they mess up their rules, the can as a last resort ssh to the
> server from that IP address, otherwise are we not going to be
>
Not everyone has a static IP address. (Especially in Ireland!) You could set
it up to always leave sshd open to REMOTE_ADDR, but that would just be silly
(on dialup, someone else'll have it in an hour). You could set it up to
/disallow/ rules blocking REMOTE_ADDR, but what if that's what you actually
wanted to achieve?
> looking at some type of logical paraser first to detect rule
> conflicts?
>
IMHO that should be handled by the GUI (as you suggest). We'd probably have
to include a basic /sanity/ parser to check for corrupted entries, but
checking for rule conlicts would be enormously complex; unless there's
well-documented and non-complex code available of course.
I picked up a trick from someone here of starting my firewall with a wee
script that loads the chains, sleeps for 60 seconds (while I try and ssh in
on another console), and then stops again. If it works, I load it properly.
Seems the simplest method to me.
We should definitely look at ways of doing this all from the GUI, but later
imho. Strikes me that getting a GUI generating a shell script first would be
a very good start, and that should be pretty easy for the target I suggested
(a dedicated server running stock services).
adam
More information about the Cork
mailing list