pfctl

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

pfctl

Alexander Belikov
Dear Community,

I want to fix a problem on one of my servers. The problem is 2 admins
1 server :( Both of us have a root access to it. It was a will of our
Top Managment..

Sometimes my 'partner' disables a part of pf rules to get a better
download rate for himself. I want to add some code to pfctl which
would add all important rules to pf. In such way, if that rules
wouldn't be in pf.conf they would BE in pf.

I'm asking for an example of code to add my RDR rule.
Maybe, it looks like a silly game, but it isn't. Alternative ways are
discharge myself, kill second admin and so on... I want to fix this
_problem_ in my way.

Thanks in advance,
I'm sure i'll recieve a solution

Reply | Threaded
Open this post in threaded view
|

Re: pfctl

Gilles Chehade-2
Alexander Belikov a icrit :

> Dear Community,
>
> I want to fix a problem on one of my servers. The problem is 2 admins
> 1 server :( Both of us have a root access to it. It was a will of our
> Top Managment..
>
> Sometimes my 'partner' disables a part of pf rules to get a better
> download rate for himself. I want to add some code to pfctl which
> would add all important rules to pf. In such way, if that rules
> wouldn't be in pf.conf they would BE in pf.
>
> I'm asking for an example of code to add my RDR rule.
> Maybe, it looks like a silly game, but it isn't. Alternative ways are
> discharge myself, kill second admin and so on... I want to fix this
> _problem_ in my way.
>
> Thanks in advance,
> I'm sure i'll recieve a solution
>  
sysjail him and make it look like he is on the host system :-)

Reply | Threaded
Open this post in threaded view
|

Re: pfctl

Francois Visconte-2
In reply to this post by Alexander Belikov
>  I want to add some code to pfctl which
> would add all important rules to pf. In such way, if that rules
> wouldn't be in pf.conf they would BE in pf.
>
I think it's a very bad idea. The best you can do i think is to write
a pfctl wrapper script in order to load your mandatory rules and rename
it to pfctl.
Anyway, you would better play with sudo and create and account for you
and another for the other admin.

If you persist in that idea take a look at pf(4).

cheers,
Frangois Visconte

Reply | Threaded
Open this post in threaded view
|

Re: pfctl

Andreas Kahari
On 13/10/06, fv <[hidden email]> wrote:

> >  I want to add some code to pfctl which
> > would add all important rules to pf. In such way, if that rules
> > wouldn't be in pf.conf they would BE in pf.
> >
> I think it's a very bad idea. The best you can do i think is to write
> a pfctl wrapper script in order to load your mandatory rules and rename
> it to pfctl.
> Anyway, you would better play with sudo and create and account for you
> and another for the other admin.
>
> If you persist in that idea take a look at pf(4).

I don't think technical solutions to management problems are the way
to go at all.  Just talk to the guy.  If that fails, talk to the
manager.  If that fails, have a really good think about your future.


Andreas


--
Andreas Kahari
Somewhere in the general Cambridge area, UK

Reply | Threaded
Open this post in threaded view
|

Re: pfctl

Alexander Belikov
In reply to this post by Francois Visconte-2
>>  I want to add some code to pfctl which
>> would add all important rules to pf. In such way, if that rules
>> wouldn't be in pf.conf they would BE in pf.
>>
f> I think it's a very bad idea. The best you can do i think is to write
f> a pfctl wrapper script in order to load your mandatory rules and rename
f> it to pfctl.

I thought about it, but I can't see how to include my rules to
existing pf.conf which could be changed by second admin.

f> Anyway, you would better play with sudo and create and account for you
f> and another for the other admin.

i'm logging in as root, my 'partner' has a user accound with sudo
NOPASSWD: ALL

f> If you persist in that idea take a look at pf(4).

f> cheers,
f> Francois Visconte


--
Best regards,
 Alexander                            mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: pfctl

NetNeanderthal
In reply to this post by Alexander Belikov
On 10/13/06, Alexander Belikov <[hidden email]> wrote:
> I want to fix a problem on one of my servers. The problem is 2 admins
> 1 server :( Both of us have a root access to it. It was a will of our
> Top Managment..

Social problems will never be wholly resolved by technical solutions.

Speak to management about 'the problem' and then issue the following
command upon approval of your plan to regain control of the network:

# passwd

Good luck.

Reply | Threaded
Open this post in threaded view
|

Re: pfctl

z0mbix-2
In reply to this post by Alexander Belikov
On 13/10/06, Alexander Belikov <[hidden email]> wrote:

> Dear Community,
>
> I want to fix a problem on one of my servers. The problem is 2 admins
> 1 server :( Both of us have a root access to it. It was a will of our
> Top Managment..
>
> Sometimes my 'partner' disables a part of pf rules to get a better
> download rate for himself. I want to add some code to pfctl which
> would add all important rules to pf. In such way, if that rules
> wouldn't be in pf.conf they would BE in pf.
>
> I'm asking for an example of code to add my RDR rule.
> Maybe, it looks like a silly game, but it isn't. Alternative ways are
> discharge myself, kill second admin and so on... I want to fix this
> _problem_ in my way.
>
> Thanks in advance,
> I'm sure i'll recieve a solution

Surely, you should settle this in a more professional manner and
report this partner's missue to your "Top Managment" instead of
playing childish games.

Reply | Threaded
Open this post in threaded view
|

Re: pfctl

Alexander Belikov
In reply to this post by Gilles Chehade-2
GC> Alexander Belikov a ecrit :

>> Dear Community,
>>
>> I want to fix a problem on one of my servers. The problem is 2 admins
>> 1 server :( Both of us have a root access to it. It was a will of our
>> Top Managment..
>>
>> Sometimes my 'partner' disables a part of pf rules to get a better
>> download rate for himself. I want to add some code to pfctl which
>> would add all important rules to pf. In such way, if that rules
>> wouldn't be in pf.conf they would BE in pf.
>>
>> I'm asking for an example of code to add my RDR rule.
>> Maybe, it looks like a silly game, but it isn't. Alternative ways are
>> discharge myself, kill second admin and so on... I want to fix this
>> _problem_ in my way.
>>
>> Thanks in advance,
>> I'm sure i'll recieve a solution
>>  
GC> sysjail him and make it look like he is on the host system :-)

sounds perfectly! But it's impossible. He is doing some work on
server, root rights are needed for it. For example, it's not
interesting for me to add new mail accounts for new employees, i'd
better enhance my traffic counting system. He's found of downloading
different things and he's impatient. So, sometimes he blocks inet
trafic for all exept him and...... Top managment of our company
doesn't want to do something, it is obvious.

That's why i wanna patch pfctl. He'll never guess what happend :)

--
Best regards,
 Alexander                            mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: pfctl

Shane J Pearson
In reply to this post by Alexander Belikov
Alexander,

On 13/10/2006, at 9:12 PM, Alexander Belikov wrote:

> I want to fix a problem on one of my servers. The problem is 2 admins
> 1 server :( Both of us have a root access to it. It was a will of our
> Top Managment..

This is not an OpenBSD issue.

Management needs to appoint one of you to be senior over the other.  
This way both of you could even still have root access if need be,  
but one of you calls the shots as far as policy goes at that level.  
If management won't do that, you'll need to deal with the problem  
until you can find a job elsewhere where management have a clue. If  
you need to spend a lot of time managing management and the problems  
they create, then it might be better for your career and sanity to  
move on.


Shane J Pearson
shanejp netspace net au

Reply | Threaded
Open this post in threaded view
|

Re: pfctl

Mike Hernandez-3
In reply to this post by Gilles Chehade-2
On Oct 13, 2006, at 8:31 AM, Gilles Chehade wrote:

> Alexander Belikov a icrit :
>> Dear Community,
>>
>> I want to fix a problem on one of my servers. The problem is 2 admins
>> 1 server :( Both of us have a root access to it. It was a will of our
>> Top Managment..
>>
>> Sometimes my 'partner' disables a part of pf rules to get a better
>> download rate for himself. I want to add some code to pfctl which
>> would add all important rules to pf. In such way, if that rules
>> wouldn't be in pf.conf they would BE in pf.
>>
>> I'm asking for an example of code to add my RDR rule.
>> Maybe, it looks like a silly game, but it isn't. Alternative ways are
>> discharge myself, kill second admin and so on... I want to fix this
>> _problem_ in my way.
>>
>> Thanks in advance,
>> I'm sure i'll recieve a solution
>>
> sysjail him and make it look like he is on the host system :-)
>

If you really love the server you'll let it go. There's a story in a  
famous book about 2 possible mothers fighting over a baby. Maybe  
you've heard this story before? In the end the one that cared the  
most let it go, rather than have the baby cut in half ;)

What does the server do for you? If it does a lot then maybe find  
another box, install openbsd 4.0 on it, and take some of the  
responsibilities off of the server you and your alleged partner are  
struggling over. Then you each get your own server, and even better,  
you get to use your shiny new openbsd 4 cd's!

If it's a firewall, then find another box and carp them. This way if  
this other admin screws up one firewall, yours will be ready to step  
in and take over (and work better, if you do things right). I'm sure  
management would love a redundant firewall solution, right? Who  
wouldn't?

Good luck in any case,

Mike H

Reply | Threaded
Open this post in threaded view
|

Re: pfctl

Stuart Henderson
In reply to this post by Francois Visconte-2
On 2006/10/13 14:36, fv wrote:
> > I want to add some code to pfctl which
> >would add all important rules to pf. In such way, if that rules
> >wouldn't be in pf.conf they would BE in pf.
> >
> I think it's a very bad idea. The best you can do i think is to write
> a pfctl wrapper script in order to load your mandatory rules and rename
> it to pfctl.

Surely it's better to place mandatory rules on another box?

Reply | Threaded
Open this post in threaded view
|

Re: pfctl

Gilles Chehade-2
In reply to this post by Alexander Belikov
Alexander Belikov a icrit :

> GC> Alexander Belikov a ecrit :
>  
>>> Dear Community,
>>>
>>> I want to fix a problem on one of my servers. The problem is 2 admins
>>> 1 server :( Both of us have a root access to it. It was a will of our
>>> Top Managment..
>>>
>>> Sometimes my 'partner' disables a part of pf rules to get a better
>>> download rate for himself. I want to add some code to pfctl which
>>> would add all important rules to pf. In such way, if that rules
>>> wouldn't be in pf.conf they would BE in pf.
>>>
>>> I'm asking for an example of code to add my RDR rule.
>>> Maybe, it looks like a silly game, but it isn't. Alternative ways are
>>> discharge myself, kill second admin and so on... I want to fix this
>>> _problem_ in my way.
>>>
>>> Thanks in advance,
>>> I'm sure i'll recieve a solution
>>>  
>>>      
> GC> sysjail him and make it look like he is on the host system :-)
>
> sounds perfectly! But it's impossible. He is doing some work on
> server, root rights are needed for it. For example, it's not
> interesting for me to add new mail accounts for new employees, i'd
> better enhance my traffic counting system. He's found of downloading
> different things and he's impatient. So, sometimes he blocks inet
> trafic for all exept him and...... Top managment of our company
> doesn't want to do something, it is obvious.
>
> That's why i wanna patch pfctl. He'll never guess what happend :)
>  
I was just kidding with the sysjail, just like others I believe that
this is more of a social issue that needs to be fixed in other ways.

Gilles

Reply | Threaded
Open this post in threaded view
|

Re: pfctl

Otto Moerbeek
In reply to this post by Stuart Henderson
On Fri, 13 Oct 2006, Stuart Henderson wrote:

> On 2006/10/13 14:36, fv wrote:
> > > I want to add some code to pfctl which
> > >would add all important rules to pf. In such way, if that rules
> > >wouldn't be in pf.conf they would BE in pf.
> > >
> > I think it's a very bad idea. The best you can do i think is to write
> > a pfctl wrapper script in order to load your mandatory rules and rename
> > it to pfctl.
>
> Surely it's better to place mandatory rules on another box?

If you set them up in serial, An extra firewall can block some
traffic, but not pass traffic that the other one has blocked.

Other setupss have similar restrictions.

Back to the OP problem: if you cannot trust your fellow sys admins,
all is lost. Even hacking pf won't do, he can easily compile and use
a clean pfctl.

There is no other alternative than to restrict his rights, using sudo
or other means.

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: pfctl

Stuart VanZee
In reply to this post by Alexander Belikov
Or you could do what I would do...
Threaten to break his damn fingers...

Reply | Threaded
Open this post in threaded view
|

Re: pfctl

Alexander Belikov
In reply to this post by Alexander Belikov
Thanks a log for feedback

I know that my problem is social, but there are some difficulities to solve
it on it's level. I wouldn't write here if my social solutions were
success.

Some weeks ago my 'partner' had done something on his Win2003 server,
which caused overwriting arp info on 'our' OpenBSD server. As the
result internet connection hanged every 15-20 mins. To solve this, i've added
cron job to do 'arp -da' every 3 minutes. I think, i'll do something
with him physicly soon :)

Problem with pf rules is still open for me. It is possible to fix it on
technical level only.. and it is sad.


--
Best regards,
 Alexander                          mailto:[hidden email]