Date: Sun, 13 Aug 2006 09:23:07 -0500 From: "Bill Marquette" <bill.marquette@gmail.com> To: Volker <volker@vwsoft.com> Cc: freebsd-pf@freebsd.org Subject: Re: Re: "Reset" Script, Anyone? Message-ID: <55e8a96c0608130723o760378a2o4a894ff6112fb994@mail.gmail.com> In-Reply-To: <44DF10A8.9000009@vwsoft.com> References: <44DC8709.1050605@2012.vi> <720051dc0608110657m1109c80dke2186baee9c2d9@mail.gmail.com> <44DF10A8.9000009@vwsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/13/06, Volker <volker@vwsoft.com> wrote: > On 12/23/-58 20:59, James Seward wrote: > > <div class="moz-text-flowed">On 8/11/06, beno <zope@2012.vi> wrote: > >> I am half a world away from my console. If I make a mistake entering my > >> PF rules, I could lock myself out. It would be nice if I had a script I > >> could activate by cron that automatically flushed out my rc.conf that > >> I'm experimenting with and loaded the original. That way, I could set > >> the cron, load my experimental rc.conf, reboot and see if I could still > >> connect to my box. If I couldn't, then all I'd have to do is wait a few > >> minutes and then I could try again. Surely I'm not the first person to > >> have thought of this. Anyone have a script that does this? > > > > I do this by having a screen session running, and a known-good > > pf.conf.safe: > > > > # pfctl -f pf.conf && sleep 60 && pfctl -f pf.conf.safe > > > > Then I detach my screen and try to login again, or test whatever I > > wanted to. If it's all good and I haven't locked myself out, I just > > have to get back into screen before 60 seconds pass and hit ^C. If I > > don't do that in time, it'll load my safe ruleset. > > > > /JMS > > > > </div> > > Wait! That might render your box unaccessible. > > What if your terminal session dies? Then the pfctl command after > sleep will never be executed. It's better to do something like: I imagine that's why it's running in screen. > echo "pfctl -f whateveryoursavedpf.confis" | at + 5 minutes > > or you may just use `echo "pfctl -d" | at + 5 minutes' which would > just disable pf and your box will be accessible if something has > gone wrong within 5 minutes. > > If you're happy with your new rules, you may `atrm' the job. This of course is a "safer" solution and allows the user to use only software that came with the system and not have to learn how to use screen :) You could also get fancy and use source code control (rcs, cvs, svn, etc) to control the rule file and revert the change easily. This also makes it easier to diff the change allowing you one last eyeball before commiting it. --Bill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55e8a96c0608130723o760378a2o4a894ff6112fb994>