Konrad Rosenbaum konrad@silmor.de (Sa 28 Mär 2009 16:22:24 CET):
On Saturday 28 March 2009, Jeffrey Kelling wrote:
Vermeide Netzwerke, oder benutze zumindest eine paranoide Firewall-Einstellung.
Dazu hätte ich selber mal eine Frage: @Konrad: gibt es ein gutes Tutorial zur Einrichtung von iptables, als ich das zuletzt versucht hab kam ich danach selbst nicht mehr ins Netzwerk ;(
Ich kenne keines. Man sollte während der Experimente zumindest direkten (Tastatur-) Zugriff auf die eigene Maschine haben.
Oder sowas wie:
#! /bin/bash # © 2008 Heiko Schlittermann hs@schlittermann.de # $Id: firestart 3589 2008-01-21 21:21:24Z heiko $ # $URL: https://svn.schlittermann.de/is/firestart/trunk/firestart $
tmp=$(getopt -n $(basename 0) -o hm -l help,man -- $@) eval set -- $tmp while true; do o="$1"; shift case "$o" in -h|--help) pod2usage -verbose 0 $0; exit 0 ;; -m|--man) pod2usage -verbose 2 $0; exit 0 ;; --) break ;; esac done
SCRIPT=${1-/etc/network/firewall} TMOUT=${2-10} TMPFILE=$(mktemp)
function die() { echo "$(basename $0): $@" >&2; exit 1; } function save() { echo -n "saving firewall to $1... " >&2 iptables-save >$1 echo "ok" >&2 } function restore() { test -f $1 || return echo -en "\nrestoring firewall rules from $1... " >&2 iptables-restore <$1 echo "ok" >&2 rm -vf $1 }
trap "test -f $TMPFILE && restore $TMPFILE" EXIT
test -f $SCRIPT || die "$SCRIPT not found"
save $TMPFILE
unset REPLY
if $SCRIPT; then read -t $TMOUT -p "OK? (yes/no) (timeout: ${TMOUT}s): " \ && test "$REPLY" == "yes" \ && echo "new firewall is active now" >&2 \ && rm $TMPFILE \ && exit 0 fi
restore $TMPFILE
# if it's not set, the read timed out and we want to # read the response now test "${REPLY+set}" || read -t 5
exit 1
=head1 NAME
firestart - simple wrapper for safe firewall start
=head1 SYNOPSIS
firestart [filename [timeout]] firestart {-h|--help} | {-m|--man}
=head1 DESCRIPTION
This script just saves the current firewall state, starts the new one and waits for user input. If this input doesn't appear, the old state is restored. Same if the used doesn't confirm the new settings.
The I<timeout> is the time (seconds) to wait for user input after starting the firewall (default: 10). The I<filename> is the name of the firewall script, it has to be executable (default: F</etc/network/firewall>).
=head1 OPTIONS
=over 4
=item B<-h>|B<--help>
Short help.
=item B<-m>|B<--man>
Man page
=back
=head1 AUTHOR
Heiko Schlittermann
=cut