DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 14th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default Modify host-level firewall rules (without getting locked out)

This guide is geared toward sysadmins who manage remote servers running host-level firewalls. The theory should apply to any *nix OS with packet filtering firewall capabilities. The specific examples provided are for FreeBSD 6.3. (General approach was inspired by advice found in the book Mastering FreeBSD and OpenBSD Security.)

-----------------------------------------

Scenario
You apply packet filtering rule changes to your remote server's host-level firewall, only to discover you are now locked out. Whoops. Time to get on the phone to ask someone to physically access the console so that you can talk him through the steps needed to let you in again. Let's avoid all that...

Firewall bailout idea
The approach goes something like this:
  1. You schedule an at job to run 15 minutes from now. Its only purpose is to save you from yourself (in the event of a packet filtering rule mishap).
  2. You modify your packet filtering ruleset, and apply the new rules.
  3. If all goes well, you just cancel the at job. If all goes unwell (and your goof eliminated your ssh access to the server), the at job ensures that you'll be able to get in again in 15 minutes or so. Diagnose where you went wrong with your ruleset, and start over from step 1...

Bailout at job expanded
What does this at job actually do? This is where things are very flexible -- it can do different things for different people, based on need. One option is to have it shut off / open up your firewall completely. If this is impractical (or dangerous), another option is to have it lock down your firewall to the outside world, except for a rule that allows you ssh access in. If that doesn't sit well in your situation, yet another option is to have it roll back to a previous iteration of a "known good" ruleset.

Bailout example
[ written for FreeBSD 6.3 using pf ]

Consider the following script, fw-bailout.sh:
Code:
#!/bin/sh

/sbin/pfctl -d

exit 0
What does this do? Quite simply, when run it disables pf, allowing all traffic to pass.

Given fw-bailout.sh, let's put the "Firewall bailout idea" to work.
  1. Schedule the at job.
    Code:
    # at -f /root/fw-bailout.sh +15 minutes
    Job 31 will be executed using /bin/sh
  2. Busily change your packet filtering ruleset. Apply the changes...
  3. Were you successful? Then cancel the at job!
    Code:
    # atq
    Date                            Owner           Queue   Job#
    Fri Jun 13 22:00:00 CDT 2008    mmff            c       31
    
    # atrm 31
    Did you get locked out? Not a serious issue, thanks to your planning. Count down the time until the at job runs, ssh in again, identify the ruleset problem, and start over from step 1.

-----------------------------------------

And there it is. A simple, (hopefully) straightforward approach to modifying your packet filtering rules without getting locked out. Be sure to tailor the at job to suit your specific needs, and be especially sure to test it while you or someone you trust has console access. Happy administering.
__________________
Kill your t.v.
Reply With Quote
  #2   (View Single Post)  
Old 14th June 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,051
Thanked 198 Times in 156 Posts
Default

Isn't this much simpler/easier:
# pfctl -f /etc/pf.conf && sleep 60 && pfctl -f /etc/pf.failsafe
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #3   (View Single Post)  
Old 14th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

I haven't tested your example, so can't speak to it. Ultimately, I would say it depends on your situation and your needs.
__________________
Kill your t.v.
Reply With Quote
  #4   (View Single Post)  
Old 14th June 2008
chris chris is offline
Port Guard
 
Join Date: May 2008
Location: United Kingdom
Posts: 35
Thanked 6 Times in 3 Posts
Default

I would probably have used a cron in the past so thanks for the quick 'at' tutorial anomie
Reply With Quote
  #5   (View Single Post)  
Old 14th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

Sure. It can be a useful (forgotten) tool.
__________________
Kill your t.v.
Reply With Quote
  #6   (View Single Post)  
Old 15th June 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default

Quote:
Originally Posted by Carpetsmoker View Post
Isn't this much simpler/easier:
# pfctl -f /etc/pf.conf && sleep 60 && pfctl -f /etc/pf.failsafe
That would be killed by the loss of the ssh session.

Of course, if you are using screen(4) or similar, that would not be an issue.
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
  #7   (View Single Post)  
Old 15th June 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,051
Thanked 198 Times in 156 Posts
Default

No, it will work if the ssh connection is lost ... Try it.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #8   (View Single Post)  
Old 15th June 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

Very interesting idea, thanks.

I've only locked my self out a few times... Once when I was totally fragged, I locked myself out about 5 times in a row when testing changes to a headless computer...

I ended up plugging in a keyboard just to login as root and replace the broken config with the working config. Next time I'll remember to file a "cover your own six in N minutes" job before hand ;-)
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
  #9   (View Single Post)  
Old 15th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

No problem - this approach has served me well for over a year now (on FBSD running pf, FBSD running ipfw, and Linux running iptables; it is the same concept all around). I started doing this out of necessity, after locking myself out a half dozen times.
__________________
Kill your t.v.
Reply With Quote
Old 15th June 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

That really makes me feel better :\
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
Old 15th June 2008
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
Spam Deminer
 
Join Date: Apr 2008
Location: NYC
Posts: 291
Thanked 31 Times in 25 Posts
Default

Yup, forgetting to add your ssh port can be a nuisance.

In my pf article, I went through doing that (with a cronjob) too, after learning the hard way.
Reply With Quote
Old 16th June 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default

Quote:
Originally Posted by Carpetsmoker View Post
No, it will work if the ssh connection is lost ... Try it.
Well, before posting I tested it to the level of doing "echo hello && sleep 60 && echo hello", then closing the ssh sesion with a ~., and logging back in. the sleep process was not to be found.

However, I suspect that the ssh session will hang around after the packets start blackholing for long enough for the sleep && pfctl to work, whereas even ~. probably closed the session neatly. I'd consider it a little on the flaky side, however, but if it works, and it certainly is easy, then so be it.

Personally, I'd always do this sort of thing inside a screen session anyway, so it's a moot point for me.
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
Old 16th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

Quote:
Originally Posted by scottro
Yup, forgetting to add your ssh port can be a nuisance.
There's that, and there's also inserting a syntactically incorrect rule which breaks everything after it (at least in iptables and ipfw), including your ssh inbound rule. I've done that to myself several times.
__________________
Kill your t.v.
Reply With Quote
Old 16th June 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

Depending on your sshd_config it's possible for ssh sessions to hang on the server when a connection dies, if processes that were running continue to execute in the shell until sshd terminates the users session or just goes orphan I dunno but I would guess the latter.

Either way unless Carpetsmoker has more details, I personally would use at/cron instead (and have today) because they generally offer more dependable as in more well defined behavior in this kind of situation.
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to modify the ls command? bsdnewbie999 OpenBSD General 9 16th May 2009 08:20 AM
PF and kernel-level PPPoE(4) gezley OpenBSD Security 3 15th May 2009 06:56 PM
read & modify files out side chroot jail Dr_Death_UAE FreeBSD Security 5 6th November 2008 09:20 PM
Which light Gui from modify images files? aleunix OpenBSD General 7 15th June 2008 04:32 PM
How to modify the boot loader? Sunsawe FreeBSD General 5 29th May 2008 05:13 AM


All times are GMT. The time now is 07:46 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick