[nzlug] Firewall ruleset check...

[Daniel Pittman]

Cliff Pratt <enkidu at cliffp.com> writes:

> Daniel Pittman wrote:
>
>> Trivial features such as "try" mode where you can safely remotely
>> modify the firewall configuration, for example, sound seductively
>> easy to write yourself and can be non-trivial.  They can, however,
>> greatly reduce the complexity of managing the firewall.
>
> To change the topic, slightly:
>
> When I see people make remote changes and crossing their fingers I
> think to myself that there is a better way. 

Absolutely. :)

> When I make a remote change to a network, for example, I try to have a
> little script that
> a) moves the current config out of the way, b) runs some 'before'
> commands (eg ping, route, etc), c) makes the change, d) run some
> 'after' commands, e) waits for 30 seconds or so, so that I can run
> some commands from the local end, f) reverses the changes and restores
> the status quo.
>
> Of course it's not perfect (if the script bombs for any reason for
> example. you're in the dung) 

...which is why I have a script that does the same[1], and why I use
something that someone else wrote rather than having to reinvent all
those wheels myself.

> but it seems the obvious way to protect yourself when making
> changes. But people say to me "Wow, what a good idea!" But to me it's
> simple caution and a bit of foresight.

*nod*  It seems to surprise a lot of people that you /can/ safely
approach most situations in computing by thinking about how to safely
back out the change if something goes wrong.

>From where I sit that is one of the key changes that experience brings:
people learn that they should be planning ahead for the worst case, not
just hoping for the best.

Regards,
        Daniel

Footnotes: 
[1]  Well, it prompts me interactively to confirm that the new rules
     should stick.  This has the effect that it assures me that my ssh
     session is working, so I can revert the change if I have to.