[Klug-general] Ideas, Offerings & Questions
J D Freeman
klug at quixotic.org.uk
Mon Jan 29 01:00:46 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, Jan 26, 2007 at 04:23:13PM +0000, Matthew Macdonald-Wallace wrote:
> IPTables == excellent!
>
> Seriously, have a look at IP Tables. I'd set them up from the
> physical console of the machine, that way when you start your ruleset
> with
>
> # iptables -A INPUT -j DROP
> # iptables -A OUTPUT -j DROP
>
> which drops all packets, your ssh connection isn't cut off like mine
> was when I first tried this.
My recommendation with this, when testing firewall rules, is to set a
cron or at job for say 10 mins in the future just before you load the
config, which reverts to either a flushed set, or a known working set of
firewall rules. It acts as a deadmans switch, so even if you fuck up and
add iptables -I INPUT --dport 22 -j DROP to the config, all you do is
put the kettle on and wait for it to reset the firewall so you can get
back in. Its a dead mans switch.
J
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFFvUZH42M0lILkmGIRApYsAKDzC3aa/NKBq04rcn+94Wt1FciwYwCfZbzp
EKCm8e1unjSPo6W6RFte39M=
=Yijl
-----END PGP SIGNATURE-----
More information about the Kent
mailing list