From owner-freebsd-questions@FreeBSD.ORG Mon Sep 5 13:13:56 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F337D16A41F for ; Mon, 5 Sep 2005 13:13:55 +0000 (GMT) (envelope-from kdk@daleco.biz) Received: from ezekiel.daleco.biz (southernuniform.com [66.76.92.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8236A43D49 for ; Mon, 5 Sep 2005 13:13:54 +0000 (GMT) (envelope-from kdk@daleco.biz) Received: from [192.168.2.2] ([69.27.149.254]) by ezekiel.daleco.biz (8.13.1/8.13.1) with ESMTP id j85DC2Oh039455; Mon, 5 Sep 2005 08:12:22 -0500 (CDT) (envelope-from kdk@daleco.biz) Message-ID: <431C4417.6090406@daleco.biz> Date: Mon, 05 Sep 2005 08:11:51 -0500 From: Kevin Kinsey User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.10) Gecko/20050823 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "James Bowman Sineath, III" References: <001b01c5b1b0$1974c290$6601a8c0@GRANT> <000701c5b1b5$c2809210$e697e19b@IBMTWAQPEF2DWZ> In-Reply-To: <000701c5b1b5$c2809210$e697e19b@IBMTWAQPEF2DWZ> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Grant Peel , freebsd-questions@freebsd.org Subject: Re: IPFW lockout. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Sep 2005 13:13:56 -0000 James Bowman Sineath, III wrote: >> Hi all, >> >> I have a small problem on one of my dev boxes. I have a bod bootup >> ipfw rulset and I find myself locked out of the machine. >> >> There will be a technician at the NOC on Tuesday that will be able >> to assist me. >> >> My question is: Will he/she be able to simply reboot, logon as root >> as normal? >> >> - and then - >> >> disable IPFW in rc.conf ... or will the loopback rule not being >> present cause more mahem than I think it will? >> >> -Grant > > > He should be able to login without any problems. > > On another note, in the future whenever you make changes to your > system that could potentially lock you out, use crontab to disable > them after a short amount of time. For example, when I was > reconfiguring sshd, I crontab'ed 'killall sshd && sshd -f > /root/sshd_config_old' > and moved the default config file to my /root directory. Also when > playing > with my ipfw rules, I crontab'ed 'ipfw disable firewall' for every 15 > minutes > until I got it working the way I wanted too. > > Be VERY careful with this though. Don't use it and then forget to remove > the lines from your /etc/crontab. Remove them as soon as you get it > configured the way you want too. This is obviously a serious security > risk, so don't use it very often. If you are worried about disabling your > firewall, then create a small ipfw script to deny all connections except > from your IP address and crontab that instead of 'ipfw disable firewall'. > Also keep in mind to enable your firewall again you will need to type > 'ipfw enable firewall'. See also /usr/share/examples/ipfw/change_rules.sh.... Kevin Kinsey.