* Lorenzo Martignoni <[EMAIL PROTECTED]>: > * John Summerfield <[EMAIL PROTECTED]>: > > Package: shorewall > > Version: 2.2.3-1 > > Severity: normal > > > > I maintain the software on several systems remotely, connecting over > > they Internet. > > > > I am concerned that one day an upgrade to shorwall will leave me with a > > broken firewall and the need to visit the site or worse, find local > > hired help. > > Hi John, > > I have the same worries. > > I usually use debconf to warn users about possible problems with > configuration files but I'm aware that that couldn't be enough and > problems may arise all the same. > > Unfortunately shorewall check is almost unsupported, that would be the > best solution in my opinion. > > > Ideas that come to mind: > > Use alternatives to choose the active version. This should be in manual > > mode. Store config files in version-dependant directories - > > /etc/shorewall22 etc. > > > > Use iptables-save to save a working firewall script and make this the > > default, to be changed at a time of the sysadmin's choosing. > > I cannot understand what really is your first idea, but I believe the > second is much more insteresting: backup your current configuration > before restart the firewall and eventually restore it. > > I'll think about that... > > > This is quite a serious concern to me; I've been cracked and my firewall > > rules are part of my plan to limit (by IP address range) locations from > > which connexions can be made to sensitive services.
Hello, shorewall now supports two new commands: safe-start and safe-restart that allow you to start or restart the firewall and to confirm that everything is working fine. If you do not accept the new configuration or you don't answer in a short time the old firewall configuration is restored automatically leaving your machine in a safe state. -- lorenzo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
