On 12/23/-58 20:59, James Seward wrote: > <div class="moz-text-flowed">On 8/11/06, beno <[EMAIL PROTECTED]> wrote: >> I am half a world away from my console. If I make a mistake entering my >> PF rules, I could lock myself out. It would be nice if I had a script I >> could activate by cron that automatically flushed out my rc.conf that >> I'm experimenting with and loaded the original. That way, I could set >> the cron, load my experimental rc.conf, reboot and see if I could still >> connect to my box. If I couldn't, then all I'd have to do is wait a few >> minutes and then I could try again. Surely I'm not the first person to >> have thought of this. Anyone have a script that does this? > > I do this by having a screen session running, and a known-good > pf.conf.safe: > > # pfctl -f pf.conf && sleep 60 && pfctl -f pf.conf.safe > > Then I detach my screen and try to login again, or test whatever I > wanted to. If it's all good and I haven't locked myself out, I just > have to get back into screen before 60 seconds pass and hit ^C. If I > don't do that in time, it'll load my safe ruleset. > > /JMS > > </div>
Wait! That might render your box unaccessible. What if your terminal session dies? Then the pfctl command after sleep will never be executed. It's better to do something like: echo "pfctl -f whateveryoursavedpf.confis" | at + 5 minutes or you may just use `echo "pfctl -d" | at + 5 minutes' which would just disable pf and your box will be accessible if something has gone wrong within 5 minutes. If you're happy with your new rules, you may `atrm' the job. Greetings, Volker _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
