test tool to load pf rules

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

test tool to load pf rules

Stéphane Guedon
Hello the list.

First, I wish you all a great weekend.

Second, I am wondering if someone knows or has written some tool to prevent
yourself from being locked out of your online ssh server when writing pf
rules.

Something like : copy the new pf rules in /tmp, load them, and ask the user if
it's ok. If not, reload the previous rules two minutes later.

If the user doesn't answer, that means for some reason pf has blocked ssh
connection. And at this point, the automatism of the tool has to return to
previous state, where connection was ok.

If that tool doesn't exist, I am goinng to write a small script for that
purpose.

Thanks for your answers.

Reply | Threaded
Open this post in threaded view
|

Re: test tool to load pf rules

sven falempin
On Sat, Jun 14, 2014 at 7:17 AM, Stéphane Guedon <[hidden email]>
wrote:

> Hello the list.
>
> First, I wish you all a great weekend.
>
> Second, I am wondering if someone knows or has written some tool to prevent
> yourself from being locked out of your online ssh server when writing pf
> rules.
>

At the top of you rules you may pass in quick proto tcp  from any to (self)
port ssh, or include a file that perform the pass quick rules that allows
you to use the machine remotely.

Then do not touch that part.

another cool feature is an anchor, the anchor is untouched when reloading
(90% sure of that)


>
> Something like : copy the new pf rules in /tmp, load them, and ask the
> user if
> it's ok. If not, reload the previous rules two minutes later.
>
> If the user doesn't answer, that means for some reason pf has blocked ssh
> connection. And at this point, the automatism of the tool has to return to
> previous state, where connection was ok.
>
> If that tool doesn't exist, I am goinng to write a small script for that
> purpose.
>
> Thanks for your answers.
>
>


--
() ascii ribbon campaign - against html e-mail
/\

Reply | Threaded
Open this post in threaded view
|

Re: test tool to load pf rules

Gregor Best
In reply to this post by Stéphane Guedon
I just use something like

        pfctl -v -f /etc/pf.conf.new ; sleep 30; pfctl -f /etc/pf.conf

in a tmux session. That gives me 30 seconds to test what I was going to
test and then reverts to the original file.

--
        Gregor Best
--

After I run your program, let's make love like crazed weasels, OK?

Reply | Threaded
Open this post in threaded view
|

Re: test tool to load pf rules

Stéphane Guedon
In reply to this post by Stéphane Guedon
Le samedi 14 juin 2014 05:55:19, vous avez écrit :
> > If the user doesn't answer, that means for some reason pf has blocked ssh
> > connection.
>
> This shouldn't happen as long as you don't flush your state table.

That happened quite often. Obviously I am to blame. Now I take extra
precaution. And one of the way is to use / create this tool I am aiming for !


> Load your new rules, then try to ssh from another terminal.  If you
> can't connect, go back to your original terminal and undo your
> changes.

Reply | Threaded
Open this post in threaded view
|

Re: test tool to load pf rules

Nicolai-8
In reply to this post by Stéphane Guedon
On Sat, Jun 14, 2014 at 01:17:14PM +0200, St?phane Guedon wrote:
> Second, I am wondering if someone knows or has written some tool to prevent
> yourself from being locked out of your online ssh server when writing pf
> rules.
>
> Something like : copy the new pf rules in /tmp, load them, and ask the user if
> it's ok. If not, reload the previous rules two minutes later.

From the pfctl manpage:

-n      Do not actually load rules, just parse them.

So, you have your /etc/pf.conf and /etc/pf.conf.tmp files.  You do
pfctl -nf /etc/pf.conf.tmp, check the return code, and then either mv
the file to pf.conf and load it upon success, or report an error and
exit, leaving the good rules in place.

Nicolai