> A nicer way (as in less to code:) to do below would be to
> always require a trusted host IP address, so that even if
> they mess up their rules, the can as a last resort ssh to the
> server from that IP address, otherwise are we not going to be
>Not everyone has a static IP address. (Especially in Ireland!) You could set
it up to always leave sshd open to REMOTE_ADDR, but that would just be silly
(on dialup, someone else'll have it in an hour). You could set it up to
/disallow/ rules blocking REMOTE_ADDR, but what if that's what you actually
wanted to achieve?
> looking at some type of logical paraser first to detect rule
> conflicts?
>IMHO that should be handled by the GUI (as you suggest). We'd probably have
to include a basic /sanity/ parser to check for corrupted entries, but
checking for rule conlicts would be enormously complex; unless there's
well-documented and non-complex code available of course.
I picked up a trick from someone here of starting my firewall with a wee
script that loads the chains, sleeps for 60 seconds (while I try and ssh in
on another console), and then stops again. If it works, I load it properly.
Seems the simplest method to me.
We should definitely look at ways of doing this all from the GUI, but later
imho. Strikes me that getting a GUI generating a shell script first would be
a very good start, and that should be pretty easy for the target I suggested
(a dedicated server running stock services).
adam
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
