[nzlug] Firewall ruleset check...
Cliff Pratt
enkidu at cliffp.com
Thu May 15 09:22:16 NZST 2008
Daniel Pittman wrote:
>
> Trivial features such as "try" mode where you can safely remotely
> modify the firewall configuration, for example, sound seductively
> easy to write yourself and can be non-trivial. They can, however,
> greatly reduce the complexity of managing the firewall.
>
To change the topic, slightly:
When I see people make remote changes and crossing their fingers I think
to myself that there is a better way. When I make a remote change to a
network, for example, I try to have a little script that a) moves the
current config out of the way, b) runs some 'before' commands (eg ping,
route, etc), c) makes the change, d) run some 'after' commands, e) waits
for 30 seconds or so, so that I can run some commands from the local
end, f) reverses the changes and restores the status quo.
Of course it's not perfect (if the script bombs for any reason for
example. you're in the dung) but it seems the obvious way to protect
yourself when making changes. But people say to me "Wow, what a good
idea!" But to me it's simple caution and a bit of foresight.
Cheers,
Cliff
More information about the NZLUG
mailing list