christian johansson napisa3(a):
I had to set up a linux firewall the other day, and I used the iptables
script generating program shorewall.
While pulling my hair over how ugly the iptables stuff (even via shorewall)
is compared to OpenBSDs nice clean PF syntax, I did find one very nice
feature in shorewall - safe restart.
When safe restarting, shorewall will implement all rules in the iptables
config files, then give the user a prompt: keep rules y/n?
If 'yes' the rules are kept and everyone is happy. If 'no', iptables are
disabled and all traffic let in. If no answer then default to answer 'no'
after 60 seconds.
Very useful, even if just for the added peace of mind when applying new
changes.
Is there a ready made script accomplishing this for openbsd / pf? Or any
plans of building such functionality?
Try sth like this:
pfctl -nf newrules && pfctl -f newfules && sleep 30 && pfctl -f oldrules
or
pfctl -f newrules ; sleep 30 && pfctl -d
When you hit Ctrl+c during sleep, old rules will not be loaded/pf will
not be disabled
It's a lazy solution, but works for me, you can use something similar..
--
.: Jakub G3azik,
.: too geek to live, too leet to die ;-)
.: email & jabber: zytek<at>nuxi.pl
