-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Terence,
On 10/28/14 5:49 PM, Terence M. Bandoian wrote: > On 10/28/2014 8:55 AM, Léa Massiot wrote: >> Christopher Schultz-2 wrote >>> A bit of warning: when modifying iptables, you need to be very >>> careful that you don't wipe-out any rules that allow you to >>> gain remote access to the server. For instance, if you have a >>> default rule to DROP all packets and an exception that allows >>> port 22 (ssh) traffic, then flushing all the rules in a table >>> can make it impossible for you to revert the change without >>> remote-rebooting (or, worse yet, paying someone to walk into >>> the cage and push the reset button). >> Yes right, fortunately I wasn't working on a remote machine. >> >> On Debian Wheezy, the following set of commands actually disables >> the firewall: >> ------------------------------------------------------- iptables >> -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t >> mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables >> -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT >> ------------------------------------------------------- >> >> Best regards. > > > Hi, Léa- > > Ideally, I think you'd want to permanently modify the iptables > rules to enable traffic over the desired port. Doing so would keep > the existing safety measures in place and all of the rules would > survive a reboot. However, if you just want to temporarily disable > iptables, I believe > > service iptables stop > > would do so. Debian Wheezy doesn't use "service", instead it still uses /etc/init.d. Oddly enough, there is no /etc/init.d/iptables script for Debian[1]. We deploy on Debian in most environments and have simply rolled our own iptables script that runs on boot. > Permanently disabling iptables would require a little more work as, > in my experience, it is typically configured to start when the > system is booted. Yes, and it's not really a good idea for production: you want your firewall configured properly instead of in "by any means necessary" mode. Configuring a server in anger usually ends up with an insecure configuration. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUUB/IAAoJEBzwKT+lPKRYN64P/2JjyqfMDQMSp8OopxpQjF4K cSOrJ1YbYRkw79gYJpg5XNP5DcAYu8INcYsZ8r685aLHgkCl8a7IWC0gKJQX2TfO QGy5pN9NvZrO+U+ont+9egEFcHNKqWMy522CTkpIp5tKLazG2iSjEw0kGePBftOp UETb82wzy1EfiBDArQSzMfLgxVXhB5bPUJmdV2DzEN0m6fuF8oaWmqQNy06+L//V ESieL0ovf9dRQFde8J4fxDT4b36l/yMjNSHvrKQMsiHfYiq2iqfA1xZUYv+hQtUh S+Ezs/sIu3CnYqK+5mPX/+ET333DNXLz4IRaFpHlnI0Z2xuPaG5Gf6Dd2SUz5zxD ag/u552Uo7KAYdp/17bifktpNJgRRgx0O6Zt0mr3+imFwQg6Ve5pMo/F59AepYtB 9awhri3lCw1urNLOrLOTwWZDGij1DtUlAbfcfKZ58kU2Iadb0h5mgos5NjKkljNv x3a8IDqg8R8dB6A0I0ZjjOJH0xlIvH3hFh1gn9t7Wd5Wd61jtH7cpVGVRVW79JY/ qsjRGqUw6LtF1xYdYVsbfaRQpEbvz5TCBc/TBJXztszC0+f1akQZL3uBByxrlUZL aukqEmxgTK9/PFaLtb7xM8JryNfwog9ETXmhx1dbKBr58GoOWAMN3OSd7mgKVkXV J/GmKKtJ+2AKE2aCaVMt =ZYjC -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
