I'd like to tell my BSD PF firewall to flush out the current configuration every 2 minutes. This will help when I'm testing a new rules and configuration options. Some time I find myself locked out of my own remote server. How do I reset PF firewall automatically without issuing hard reboot?
There is no need to write a shell script and call it from cron. You can load the rules from the /etc/pf.conf and sleepf or 120 seconds then disable pf:
#/sbin/pfctl -f /etc/pf.conf && sleep 120 && /sbin/pfctl -d
Where,
- -f /etc/pf.conf - Load the rules contained in /etc/pf.conf.
- -d - Disable the packet filter.
- sleep 200: The sleep command suspends execution for a minimum of 200 seconds before calling the next command.
You can also test pf.conf for syntax errors:
# /sbin/pfctl -nf /etc/pf.conf
Finally, && (AND list) shell control operator is to used run next command only if, first command returns an exit status of zero. So each command in list must be successful in order to run next command.
# /sbin/pfctl -nf /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf && sleep 120 && /sbin/pfctl -d
See - How To Reset Linux Firewall Automatically While Testing Configuration With Remote Server Over SSH Session
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 3 comments… read them below or add one }
This is great, although you might already have a working rule set. In which case you wouldn’t want to take down the whole firewall over a mistake. My working method has been about the same as above, but I keep new rules in there own file pf.testing. Then you can do the 120 second delay to load the original set if things went wrong. This way there is no open hole(s) in your firewall while your testing. Obviously it’s highly unlikely you’ll have an attack the moment you bring the firewall down. I just think it’s better practice if there is a choice.
Thinking about it the command -nf is very useful in testing new rules, you are always kept behind your trustful gateway.
Saviour!