Re: safe PF start / restart
christian johansson napisa3(a): I had to set up a linux firewall the other day, and I used the iptables script generating program shorewall. While pulling my hair over how ugly the iptables stuff (even via shorewall) is compared to OpenBSDs nice clean PF syntax, I did find one very nice feature in shorewall - safe restart. When safe restarting, shorewall will implement all rules in the iptables config files, then give the user a prompt: keep rules y/n? If 'yes' the rules are kept and everyone is happy. If 'no', iptables are disabled and all traffic let in. If no answer then default to answer 'no' after 60 seconds. Very useful, even if just for the added peace of mind when applying new changes. Is there a ready made script accomplishing this for openbsd / pf? Or any plans of building such functionality? Try sth like this: pfctl -nf newrules pfctl -f newfules sleep 30 pfctl -f oldrules or pfctl -f newrules ; sleep 30 pfctl -d When you hit Ctrl+c during sleep, old rules will not be loaded/pf will not be disabled It's a lazy solution, but works for me, you can use something similar.. -- .: Jakub G3azik, .: too geek to live, too leet to die ;-) .: email jabber: zytekatnuxi.pl
Re: safe PF start / restart
On 4/11/07, christian johansson [EMAIL PROTECTED] wrote: I had to set up a linux firewall the other day, and I used the iptables script generating program shorewall. While pulling my hair over how ugly the iptables stuff (even via shorewall) is compared to OpenBSDs nice clean PF syntax, I did find one very nice feature in shorewall - safe restart. When safe restarting, shorewall will implement all rules in the iptables config files, then give the user a prompt: keep rules y/n? If 'yes' the rules are kept and everyone is happy. If 'no', iptables are disabled and all traffic let in. If no answer then default to answer 'no' after 60 seconds. Very useful, even if just for the added peace of mind when applying new changes. Is there a ready made script accomplishing this for openbsd / pf? Or any plans of building such functionality? Christian FreeBSD has a similar script for ipfw(8) called change_rules.sh. You could probably modify it to suit your needs, but I haven't really looked at how it works, as I don't find it necessary with pf. http://www.freebsd.org/cgi/cvsweb.cgi/src/share/examples/ipfw/change_rules.sh?annotate=1.2.2.5 -- Kian Mohageri
safe PF start / restart
I had to set up a linux firewall the other day, and I used the iptables script generating program shorewall. While pulling my hair over how ugly the iptables stuff (even via shorewall) is compared to OpenBSDs nice clean PF syntax, I did find one very nice feature in shorewall - safe restart. When safe restarting, shorewall will implement all rules in the iptables config files, then give the user a prompt: keep rules y/n? If 'yes' the rules are kept and everyone is happy. If 'no', iptables are disabled and all traffic let in. If no answer then default to answer 'no' after 60 seconds. Very useful, even if just for the added peace of mind when applying new changes. Is there a ready made script accomplishing this for openbsd / pf? Or any plans of building such functionality? Christian
Re: safe PF start / restart
Did you read pfctl(8) ? On Wed, Apr 11, 2007 at 10:44:44AM -0700, christian johansson wrote: I had to set up a linux firewall the other day, and I used the iptables script generating program shorewall. While pulling my hair over how ugly the iptables stuff (even via shorewall) is compared to OpenBSDs nice clean PF syntax, I did find one very nice feature in shorewall - safe restart. When safe restarting, shorewall will implement all rules in the iptables config files, then give the user a prompt: keep rules y/n? If 'yes' the rules are kept and everyone is happy. If 'no', iptables are disabled and all traffic let in. If no answer then default to answer 'no' after 60 seconds. Very useful, even if just for the added peace of mind when applying new changes. Is there a ready made script accomplishing this for openbsd / pf? Or any plans of building such functionality? Christian
Re: safe PF start / restart
On 4/11/07, christian johansson [EMAIL PROTECTED] wrote: I had to set up a linux firewall the other day, and I used the iptables script generating program shorewall. While pulling my hair over how ugly the iptables stuff (even via shorewall) is compared to OpenBSDs nice clean PF syntax, I did find one very nice feature in shorewall - safe restart. When safe restarting, shorewall will implement all rules in the iptables config files, then give the user a prompt: keep rules y/n? If 'yes' the rules are kept and everyone is happy. If 'no', iptables are disabled and all traffic let in. If no answer then default to answer 'no' after 60 seconds. Very useful, even if just for the added peace of mind when applying new changes. Is there a ready made script accomplishing this for openbsd / pf? Or any plans of building such functionality? Christian I think I get what you're asking here... like switching monitor resolutions and asking you to confirm that it worked by clicking a button? If you can't see the button, you don't click it, and the old resolution is reverted after 15 seconds. Right? I've done this with pf. I used at(1) like anybody would. You can load a new rule using pfctl -f /etc/pf.conf/new, with an at(1) job to load /etc/pf.conf at 60 seconds. If you want some fancy prompt, wrap it with /bin/sh. Personaly I'd hate to see this as an actual 'feature' anywhere. If everything this trivial was implemented into pfctl I would stop reading manuals top to bottom. You should look at the command prompt like a live programming enviroment. I recommend reading The UNIX Programming Environment by Brian W. Kernighan and Rob Pike.
Re: safe PF start / restart
On Wed, Apr 11, 2007 at 02:44:10PM -0400, Jeff Quast wrote: On 4/11/07, christian johansson [EMAIL PROTECTED] wrote: feature in shorewall - safe restart. Is there a ready made script accomplishing this for openbsd / pf? Or any plans of building such functionality? I've done this with pf. I used at(1) like anybody would. You can load a new rule using pfctl -f /etc/pf.conf/new, with an at(1) job to load /etc/pf.conf at 60 seconds. If you want some fancy prompt, wrap it with /bin/sh. Personaly I'd hate to see this as an actual 'feature' anywhere. If everything this trivial was implemented into pfctl I would stop reading manuals top to bottom. You should look at the command prompt like a live programming enviroment. I recommend reading The UNIX Programming Environment by Brian W. Kernighan and Rob Pike. Once you have a working ruleset, most changes shouldn't be enough to effect YOUR connectivity to the firewall. After running $EDITOR to change your ruleset, run 'pfctl -nvf /etc/pf.conf' to make sure the output matches your expectations before running 'pfctl -f /etc/pf.conf'. -ME
