On May 4, 2004 06:03 pm, Ed Greshko wrote: > On Wed, 2004-05-05 at 08:27, Pete Nesbitt wrote: > > On a related note (I found interesting anyway), a while ago I checked > > some iptables rules for someone, and made some changes, loaded them up on > > my machine, got the expected errors (non valid interface etc) and then > > stopped the firewall using 'service iptables stop'. > > Shortly afterwards I experienced connectivity problems. The problem was > > that the rules were partial and no default policies were in place, so > > even though I stopped the iptables service (the user part), netfilter > > (the kernel part) lived on. I needed to set default rules and start/stop > > the fw in order to clear the test rules. It turns out "stop" means flush > > the existing rules and set the default policies (normally accept for all > > chains) > > That last bit, for a "firewall" seems to be bad practice. Best practice > should be: > > Stop: Flush all existing rules/policies and go into "default" mode of > reject ALL. > > Disable: Totally disable firewall. Reverting to accept ALL. In the > case of iptables/ipchains this may also imply unloading relevant > modules. > > FWIW, one can reference a good iptables front-end such as "shorewall". > In this implementation: > > "shorewall clear" totally disables the firewall. > > "shorewall stop" reverts to the default "reject all" with the exception > of hosts defined in the "routestopped" configuration. This will allow > you to remotely maintain the firewall. That is, stop it but have at > least one host with access. > > Regards, > Ed > > -- > "An opinion is like an asshole - everybody has one." > - Clint Eastwood as Harry Callahan, The Dead Pool - 1988. I agree. Default of accept is the RH default though:( And in my case, i was testing on a protected workstation, so I really did want to clear everthing and allow all. shorewall looks interesting as it is script/file based, which is good as a firewall box should be minimal, which rules out a gui. -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
