From owner-freebsd-pf@FreeBSD.ORG Sun Aug 13 11:44:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6364916A4DD for ; Sun, 13 Aug 2006 11:44:41 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.ipactive.de [85.214.39.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA3A343D46 for ; Sun, 13 Aug 2006 11:44:40 +0000 (GMT) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (gprs-pool-1-008.eplus-online.de [212.23.126.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id C1AF033D21 for ; Sun, 13 Aug 2006 13:44:33 +0200 (CEST) Received: from [192.168.18.3] (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 11B982E538; Sun, 13 Aug 2006 13:44:23 +0200 (CEST) Message-ID: <44DF10A8.9000009@vwsoft.com> Date: Sun, 13 Aug 2006 13:44:40 +0200 From: Volker User-Agent: Thunderbird 1.5.0.5 (X11/20060806) MIME-Version: 1.0 To: James Seward References: <44DC8709.1050605@2012.vi> <720051dc0608110657m1109c80dke2186baee9c2d9@mail.gmail.com> In-Reply-To: <720051dc0608110657m1109c80dke2186baee9c2d9@mail.gmail.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: Re: "Reset" Script, Anyone? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Aug 2006 11:44:41 -0000 On 12/23/-58 20:59, James Seward wrote: >
On 8/11/06, beno wrote: >> I am half a world away from my console. If I make a mistake entering my >> PF rules, I could lock myself out. It would be nice if I had a script I >> could activate by cron that automatically flushed out my rc.conf that >> I'm experimenting with and loaded the original. That way, I could set >> the cron, load my experimental rc.conf, reboot and see if I could still >> connect to my box. If I couldn't, then all I'd have to do is wait a few >> minutes and then I could try again. Surely I'm not the first person to >> have thought of this. Anyone have a script that does this? > > I do this by having a screen session running, and a known-good > pf.conf.safe: > > # pfctl -f pf.conf && sleep 60 && pfctl -f pf.conf.safe > > Then I detach my screen and try to login again, or test whatever I > wanted to. If it's all good and I haven't locked myself out, I just > have to get back into screen before 60 seconds pass and hit ^C. If I > don't do that in time, it'll load my safe ruleset. > > /JMS > >
Wait! That might render your box unaccessible. What if your terminal session dies? Then the pfctl command after sleep will never be executed. It's better to do something like: echo "pfctl -f whateveryoursavedpf.confis" | at + 5 minutes or you may just use `echo "pfctl -d" | at + 5 minutes' which would just disable pf and your box will be accessible if something has gone wrong within 5 minutes. If you're happy with your new rules, you may `atrm' the job. Greetings, Volker