When I work on configuration files, especially of the mail server, I would like to temporarily drop all the incoming traffic except the port 22. So, I don't risk to lose incoming mails if I need to move the mail server to another server, or something like that.
Using shorewall, how I could do that?
I was thinking to create a rules file to divert all the traffic to a non-existant internal ip and switch it with the normal file when needed.
you could make a little script that just stop shorewall and restart it with a different directory config:
# shorewall stop
# shorewall start /etc/shorewall-temp
When you need the old config, i think a shorewall restart just restart with default parameters.
I assume that "internet" is NET and your internal machines are LOC. Changes as it fits your shorewall needs.
You say port 22 and talk about mail. Im asuming you want to drop all traffic and only allow SSH traffic. Not allow all MAIL traffic?
Use DNAT to forward traffic, in rules file.
DNAT net loc:192.168.0.3:22 tcp 22
This forwards traffic to port 22 (Usually SSH) on the firewall ($FW) to the internal ip 192.168.0.3
If you want to drop all traffic, do this in the shorewall rules file(Order of the rules are important):
ACCEPT net loc:mailserver_ip tcp 22
REJECT net loc:mailserver_ip
Ofcourse you need to exchange mailserver_ip to the correct IP. Secondly, if the mailserver is located on the same server as shorewall. You should signify this with $FW instead of loc:mailserver_ip
I do a similar thing with my Watchguard firewall as Pier has suggested: I keep 2 configuratuion files, one is my production config file and the other one blocks all incoming services except those I want to continue coming in while I'm performing maintenance. When I have scheduled maintenence I simply load my maintenence config and when I'm done I load the production config.
