[nzlug] Firewall ruleset check...
Matthew Poole
matt at p00le.net
Thu May 15 09:30:45 NZST 2008
On Thu, 15 May 2008, Cliff Pratt wrote:
> When I see people make remote changes and crossing their fingers I think to
> myself that there is a better way. When I make a remote change to a network,
> for example, I try to have a little script that a) moves the current config
> out of the way, b) runs some 'before' commands (eg ping, route, etc), c)
> makes the change, d) run some 'after' commands, e) waits for 30 seconds or
> so, so that I can run some commands from the local end, f) reverses the
> changes and restores the status quo.
>
We use fwbuilder at work for building the rules for our pf-based
firewalls. Great software, definitely recommend it (apt-get install
fwbuilder), especially in situations where you've got multiple people who
will be admin'ing rules and not all of them speak iptables/pf/ipf/ipfw/pix
(yes, it does PIX too, and IOS ACLs).
One of its coolest features, though, is that there's a check-box in the
host configuration saying "Always allow SSH from this host..." There's no
way you can lock yourself out by making an ill-considered rule change.
Absolute genius.
--
Matthew Poole
"Don't use force. Get a bigger hammer."
More information about the NZLUG
mailing list