On 4/22/2014 4:09 PM, Anton Aylward wrote:
You can ssh into a remote server, dick around with the firewall settings and stop/restart it without worrying about killing your own ssh connection, and potentially leaving your remote machine in a broken and vulnerable state. That original connection will persist.
I don't see the problem. The rules permit a ssh connection. My 'proposed' idea about tearing down connections that violate the rules would allow this connection because the rules permit it.
Ah, I see. You're obviously one of those guys who never makes an error! ;-) Me? I fuckup all the time. I accidentally get my Nics mixed up, deny inbound ssh, make typos that leave everything blocked, or nothing at all blocked, etc. If rolling the firewall killed existing connections there has been more than one occurrence where I would be buying an airline ticket to some remote bush Alaskan village just to reboot the data collection server in the sewage plant or some such, all because of some stupid typo. I've learned to always leave that SSH session live and test new sessions before I tear it down.
I'm NOT saying that starting the firewall should tear down all connections. I'm talking about connections that the firewall would otherwise prohibit.
Yeah, I understand. Give it a few weeks and SystemD will probably take over that too, but in the meantime netfilter doesn't know about those open connections, and making it do so, may open as many security holes as it closes. Patrick's assumption that a *pre-existing* connection should be stopped by a new firewall rule is simply not the case today, but it is a common misconception. So much so that it is FAQ Question 4B in the Shorewall Firewall guide. http://shorewall.net/3.0/FAQ.htm#faq4b Patrick should test by restarting NFS, not *just* restarting the firewall. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org