On 10/1/14 9:57 AM, Zoran Kolic wrote: > I intent to load pf firewall on rpi and not stay locked out of the > node. The only comminication is via ssh.
Hi, Zoran. You're right about putting pf=YES in /etc/rc.conf; I would not do that until I was confident my configuration was right. Does "rpi" mean "Raspberry Pi"? If so, then is it easy to power cycle the device? If so, you can just try your rules, and if you get locked out, power cycle it. But normally I wouldn't even plan to power cycle my machine to recover. Before trying new firewall rules, I just run something to disable the firewall after a period of time in case I lock myself out. So, I'd do something like this: # nohup sh -c 'sleep 15; pfctl -d' < /dev/null > /dev/null 2>&1 & That runs the sh process in the background, detached from standard input, standard output, and standard error, and ignoring the SIGHUP signal. After 15 seconds it runs "pfctl -d" to disable the firewall. Or you could just start a tmux session, and do the following in a window: # sleep 15; pfctl -d BTW, as of NetBSD 6, there's a new packet filter for NetBSD called NPF. See npf.conf(5), npfctl(8), and /usr/share/examples/npf. There's also a document by the NPF author titled "NPF documentation" <http://www.netbsd.org/~rmind/npf/>. I think it documents the latest NPF, so if you're not running the latest NetBSD, beware that some things might be slightly different for your NPF. Regards, Lewis
