On 04/22/2014 07:36 PM, John Andersen wrote:
On 4/22/2014 4:09 PM, Anton Aylward wrote:
You can ssh into a remote server, dick around with the firewall settings and stop/restart it without worrying about killing your own ssh connection, and potentially leaving your remote machine in a broken and vulnerable state. That original connection will persist.
I don't see the problem. The rules permit a ssh connection. My 'proposed' idea about tearing down connections that violate the rules would allow this connection because the rules permit it.
Ah, I see. You're obviously one of those guys who never makes an error! ;-) Me? I fuckup all the time. I accidentally get my Nics mixed up, deny inbound ssh, make typos that leave everything blocked, or nothing at all blocked, etc.
I'm a belt and braces and rivets and measure twice before deciding not to cut today but think about it overnight type of guy. I once referred t myself as a 'paid to be paranoid' type of sysadmin and was taken to task for that, being told that paranoia is an illness and not a security stance. I try very very had to make sure my errors are (a) low impact and (b) reversible. Just don't mention that to SheWhoSallNotBeNamed, please.
I'm NOT saying that starting the firewall should tear down all connections. I'm talking about connections that the firewall would otherwise prohibit.
Yeah, I understand. Give it a few weeks and SystemD will probably take over that too, but in the meantime netfilter doesn't know about those open connections, and making it do so, may open as many security holes as it closes.
Patrick's assumption that a *pre-existing* connection should be stopped by a new firewall rule is simply not the case today, but it is a common misconception. So much so that it is FAQ Question 4B in the Shorewall Firewall guide. http://shorewall.net/3.0/FAQ.htm#faq4b
Indeed. As you point out, that is the way iptables has been set up to work. I'm not saying that is not how things work; I'm just saying that, rightly or wrongly, there is a potential security risk. Patrick's strategy of disconnecting the router was one very effective way of mitigating that risk. Could iptables be set up so that a firewall will tear down an existing connection that violates its rules? I have no doubt it could. The way things work not seem to be a well established convention, sort of like what side of the road to drive on. So long as everyone follows the same convention we have a predictable behaviour. The 'logical' argument that we should drive on the let in the northern hemisphere and on the right in the southern so as to counteract the natural spin of tornadoes is totally beside the point: like in RubyonRails, convention trumps everything. I think Patrick is eminently sensible. A simple and effective solution. He's obviously one of us 'security paranoid' types. -- intaxification (n): Euphoria at getting a tax refund, which lasts until you realize it was your money to start with. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org