|
Guides All Guides and HOWTO's. |
|
Thread Tools | Display Modes |
|
||||
Modify host-level firewall rules (without getting locked out)
This guide is geared toward sysadmins who manage remote servers running host-level firewalls. The theory should apply to any *nix OS with packet filtering firewall capabilities. The specific examples provided are for FreeBSD 6.3. (General approach was inspired by advice found in the book Mastering FreeBSD and OpenBSD Security.)
----------------------------------------- Scenario You apply packet filtering rule changes to your remote server's host-level firewall, only to discover you are now locked out. Whoops. Time to get on the phone to ask someone to physically access the console so that you can talk him through the steps needed to let you in again. Let's avoid all that... Firewall bailout idea The approach goes something like this:
Bailout at job expanded What does this at job actually do? This is where things are very flexible -- it can do different things for different people, based on need. One option is to have it shut off / open up your firewall completely. If this is impractical (or dangerous), another option is to have it lock down your firewall to the outside world, except for a rule that allows you ssh access in. If that doesn't sit well in your situation, yet another option is to have it roll back to a previous iteration of a "known good" ruleset. Bailout example [ written for FreeBSD 6.3 using pf ] Consider the following script, fw-bailout.sh: Code:
#!/bin/sh /sbin/pfctl -d exit 0 Given fw-bailout.sh, let's put the "Firewall bailout idea" to work.
----------------------------------------- And there it is. A simple, (hopefully) straightforward approach to modifying your packet filtering rules without getting locked out. Be sure to tailor the at job to suit your specific needs, and be especially sure to test it while you or someone you trust has console access. Happy administering.
__________________
Kill your t.v. |
|
|||
I would probably have used a cron in the past so thanks for the quick 'at' tutorial anomie
|
|
||||
Quote:
Of course, if you are using screen(4) or similar, that would not be an issue.
__________________
The only dumb question is a question not asked. The only dumb answer is an answer not given. |
|
||||
Very interesting idea, thanks.
I've only locked my self out a few times... Once when I was totally fragged, I locked myself out about 5 times in a row when testing changes to a headless computer... I ended up plugging in a keyboard just to login as root and replace the broken config with the working config. Next time I'll remember to file a "cover your own six in N minutes" job before hand ;-)
__________________
My Journal Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''. |
|
||||
No problem - this approach has served me well for over a year now (on FBSD running pf, FBSD running ipfw, and Linux running iptables; it is the same concept all around). I started doing this out of necessity, after locking myself out a half dozen times.
__________________
Kill your t.v. |
|
||||
That really makes me feel better :\
__________________
My Journal Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''. |
|
||||
Well, before posting I tested it to the level of doing "echo hello && sleep 60 && echo hello", then closing the ssh sesion with a ~., and logging back in. the sleep process was not to be found.
However, I suspect that the ssh session will hang around after the packets start blackholing for long enough for the sleep && pfctl to work, whereas even ~. probably closed the session neatly. I'd consider it a little on the flaky side, however, but if it works, and it certainly is easy, then so be it. Personally, I'd always do this sort of thing inside a screen session anyway, so it's a moot point for me.
__________________
The only dumb question is a question not asked. The only dumb answer is an answer not given. |
|
||||
Quote:
__________________
Kill your t.v. |
|
||||
Depending on your sshd_config it's possible for ssh sessions to hang on the server when a connection dies, if processes that were running continue to execute in the shell until sshd terminates the users session or just goes orphan I dunno but I would guess the latter.
Either way unless Carpetsmoker has more details, I personally would use at/cron instead (and have today) because they generally offer more dependable as in more well defined behavior in this kind of situation.
__________________
My Journal Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
How to modify the ls command? | bsdnewbie999 | OpenBSD General | 9 | 16th May 2009 08:20 AM |
PF and kernel-level PPPoE(4) | gezley | OpenBSD Security | 3 | 15th May 2009 06:56 PM |
read & modify files out side chroot jail | Dr_Death_UAE | FreeBSD Security | 5 | 6th November 2008 09:20 PM |
Which light Gui from modify images files? | aleunix | OpenBSD General | 7 | 15th June 2008 04:32 PM |
How to modify the boot loader? | Sunsawe | FreeBSD General | 5 | 29th May 2008 05:13 AM |