From owner-freebsd-pf@FreeBSD.ORG Fri Aug 11 13:57:42 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69C5B16A518 for ; Fri, 11 Aug 2006 13:57:42 +0000 (UTC) (envelope-from jamesoff@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id C14AA43D49 for ; Fri, 11 Aug 2006 13:57:41 +0000 (GMT) (envelope-from jamesoff@gmail.com) Received: by nf-out-0910.google.com with SMTP id g2so1069566nfe for ; Fri, 11 Aug 2006 06:57:32 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sf530gaslYbk/3Wx6GAxhIrZSJocoVXRhXVG0PjBo7r0kpkJQcxWTOwlFayv3g+cv9/1NDg7QYVznJ9VPSwpBinPnmb3+rz98s0/pU9++1Stu8jaaktOMt5SiWA/GIRUzRUe0e6g5RQ2QzSdMPlBJJMFG/NAwxGwP6v/MW5P0D8= Received: by 10.78.136.7 with SMTP id j7mr2173459hud; Fri, 11 Aug 2006 06:57:32 -0700 (PDT) Received: by 10.78.135.13 with HTTP; Fri, 11 Aug 2006 06:57:32 -0700 (PDT) Message-ID: <720051dc0608110657m1109c80dke2186baee9c2d9@mail.gmail.com> Date: Fri, 11 Aug 2006 14:57:32 +0100 From: "James Seward" To: beno In-Reply-To: <44DC8709.1050605@2012.vi> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44DC8709.1050605@2012.vi> Cc: freebsd-pf@freebsd.org Subject: Re: "Reset" Script, Anyone? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2006 13:57:42 -0000 On 8/11/06, beno wrote: > I am half a world away from my console. If I make a mistake entering my > PF rules, I could lock myself out. It would be nice if I had a script I > could activate by cron that automatically flushed out my rc.conf that > I'm experimenting with and loaded the original. That way, I could set > the cron, load my experimental rc.conf, reboot and see if I could still > connect to my box. If I couldn't, then all I'd have to do is wait a few > minutes and then I could try again. Surely I'm not the first person to > have thought of this. Anyone have a script that does this? I do this by having a screen session running, and a known-good pf.conf.safe: # pfctl -f pf.conf && sleep 60 && pfctl -f pf.conf.safe Then I detach my screen and try to login again, or test whatever I wanted to. If it's all good and I haven't locked myself out, I just have to get back into screen before 60 seconds pass and hit ^C. If I don't do that in time, it'll load my safe ruleset. /JMS