ADMINISABSENTMINDED Option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@681 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -12,3 +12,5 @@ Changes since 1.4.6
 5) Removed some undocumented/braindead code from setup_masq()
 
 6) Don't allow 'stop' when startup is disabled
+
+7) Added ADMINISABSENTMINDED option.

Shorewall/firewall

@@ -996,11 +996,25 @@ stop_firewall() {
     delete_proxy_arp
     [ -n "$CLEAR_TC" ] && delete_tc
 
+    if [ -z "$ADMINISABSENTMINDED" ]; then
 	for chain in INPUT OUTPUT FORWARD; do
 	    setpolicy $chain DROP
 	done
 
 	deleteallchains
+    else
+	for chain in INPUT FORWARD; do
+	    setpolicy $chain DROP
+	done
+
+	setpolicy OUTPUT ACCEPT
+
+	deleteallchains
+
+	for chain in INPUT FORWARD; do
+	    setcontinue $chain
+	done
+    fi
 
     hosts=
 
@@ -1018,6 +1032,7 @@ stop_firewall() {
 	interface=${host%:*}
 	subnet=${host#*:}
 	iptables -A INPUT  -i $interface -s $subnet -j ACCEPT
+	[ -z "$ADMINISABSENTMINDED" ] && \
 	    iptables -A OUTPUT -o $interface -d $subnet -j ACCEPT
 
 	for host1 in $hosts; do
@@ -1028,10 +1043,12 @@ stop_firewall() {
     done
 
     iptables -A INPUT  -i lo -j ACCEPT
+    [ -z "$ADMINISABSENTMINDED" ] && \
 	iptables -A OUTPUT -o lo -j ACCEPT
 
     for interface in `find_interfaces_by_option dhcp`; do
 	iptables -A INPUT  -p udp -i $interface --dport 67:68 -j ACCEPT
+	[ -z "$ADMINISABSENTMINDED" ] && \
 	    iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
     done
 
@@ -4582,6 +4599,7 @@ do_initialize() {
     VERSION_FILE=
     LOGFORMAT=
     LOGRULENUMBERS=
+    ADMINISABSENTMINDED=
 
     stopping=
     have_mutex=
@@ -4730,6 +4748,7 @@ do_initialize() {
     else
 	LOGFORMAT="Shorewall:%s:%s:"
     fi
+    ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED`
     #
     # Strip the files that we use often
     #

Shorewall/releasenotes.txt

@@ -38,3 +38,42 @@ New Features:
    /etc/shorewall/startup_disabled exists. This prevents people from
    shooting themselves in the foot prior to having configured
    Shorewall.
+
+4) A new option "ADMINISABSENTMINDED" has been added to
+   /etc/shorewall/shorewall.conf. This option has a default value of
+   "No" in which case Shorewall's 'stopped' state continues as it has
+   been; namely, in the stopped state only traffic to/from hosts listed
+   in /etc/shorewall/routestopped is accepted.
+
+   With ADMINISABSENTMINDED=Yes, in addition to traffic to/from the
+   hosts listed in /etc/shorewall/routestopped, Shorewall will allow:
+
+   a) All traffic originating from the firewall itself; and
+   b) All traffic that is part of or related to an already-existing
+   connection.
+
+   In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
+   entered through an ssh session will not kill the session.
+
+   Note though that it is still possible for people to shoot themselves
+   in the foot.
+
+   Example:
+
+   /etc/shorewall/nat:
+
+   206.124.146.178	eth0:0	192.168.1.5	
+
+   /etc/shorewall/rules:
+
+   ACCEPT	net	loc:192.168.1.5	tcp	22
+   ACCEPT	loc	fw		tcp	22
+
+   I ssh into 206.124.146.178 which establishes an SSH connection with
+   192.168.1.5. I then create a second SSH connection from that
+   computer to the firewall and confidently type "shorewall
+   stop". As part of stopping, Shorewall removes eth0:0 which kills my
+   SSH connection to 192.168.1.5!!!
+
+   
+

Shorewall/shorewall.conf

@@ -434,6 +434,35 @@ MUTEX_TIMEOUT=60
 
 NEWNOTSYN=No
 
+#
+# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
+#
+# Normally, when a "shorewall stop" command is issued or an error occurs during
+# the execution of another shorewall command, Shorewall puts the firewall into
+# a state where only traffic to/from the hosts listed in
+# /etc/shorewall/routestopped is accepted. 
+#
+# When performing remote administration on a Shorewall firewall, it is
+# therefore recommended that the IP address of the computer being used for
+# administration be added to the firewall's /etc/shorewall/routestopped file.
+#
+# Some administrators have a hard time remembering to do this with the result
+# that they get to drive across town in the middle of the night to restart
+# a remote firewall (or worse, they have to get someone out of bed to drive 
+# across town to restart a very remote firewall).
+#
+# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
+# when the firewall enters the 'stopped' state:
+#
+# All traffic that is part of or related to established connections is still
+# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
+# to and from hosts listed in /etc/shorewall/routestopped.
+#
+# If this variable is not set or it is set to the null value then
+# ADMINISABSENTMINDED=No is assumed.
+#
+ADMINISABSENTMINDED=No
+
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################