Modify host-level firewall rules (without getting locked out)
This guide is geared toward sysadmins who manage remote servers running host-level firewalls. The theory should apply to any *nix OS with packet filtering firewall capabilities. The specific examples provided are for FreeBSD 6.3. (General approach was inspired by advice found in the book Mastering FreeBSD and OpenBSD Security.)
You apply packet filtering rule changes to your remote server's host-level firewall, only to discover you are now locked out. Whoops. Time to get on the phone to ask someone to physically access the console so that you can talk him through the steps needed to let you in again. Let's avoid all that...
Firewall bailout idea
The approach goes something like this:
Bailout at job expanded
What does this at job actually do? This is where things are very flexible -- it can do different things for different people, based on need. One option is to have it shut off / open up your firewall completely. If this is impractical (or dangerous), another option is to have it lock down your firewall to the outside world, except for a rule that allows you ssh access in. If that doesn't sit well in your situation, yet another option is to have it roll back to a previous iteration of a "known good" ruleset.
[ written for FreeBSD 6.3 using pf ]
Consider the following script, fw-bailout.sh:
#!/bin/sh /sbin/pfctl -d exit 0
Given fw-bailout.sh, let's put the "Firewall bailout idea" to work.
And there it is. A simple, (hopefully) straightforward approach to modifying your packet filtering rules without getting locked out. Be sure to tailor the at job to suit your specific needs, and be especially sure to test it while you or someone you trust has console access. Happy administering.
Kill your t.v.
|Thread||Thread Starter||Forum||Replies||Last Post|
|How to modify the ls command?||bsdnewbie999||OpenBSD General||9||16th May 2009 08:20 AM|
|PF and kernel-level PPPoE(4)||gezley||OpenBSD Security||3||15th May 2009 06:56 PM|
|read & modify files out side chroot jail||Dr_Death_UAE||FreeBSD Security||5||6th November 2008 09:20 PM|
|Which light Gui from modify images files?||aleunix||OpenBSD General||7||15th June 2008 04:32 PM|
|How to modify the boot loader?||Sunsawe||FreeBSD General||5||29th May 2008 05:13 AM|