Peter <[EMAIL PROTECTED]> writes: > I am looking for guidance on (3.8) pf configuraton that will help > prevent remote SSH access from being blocked due to the loading of a bad > ruleset.
The obvious advice is, "don't write lockout rules" and "don't flush your old rules before loading fresh ones unless you've tested the new rules". Then again, you could go for a "back out to last known good" approach by testing your rule sets with a script that loads your new rule set but, always assuming you have saved your previous config somewhere accessible, backs out to your last working version after a few minutes. On OpenBSD, the default rule set which gets loaded before your network interfaces are configured lets you ssh in. This is extremely useful in you manage to create an invalid rule set and reboot. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
