Firewalling while logged in over the network

From FBSD_tips

Jump to: navigation, search

OR "closing the door after the barn has burned down" ... or something like that ...

In a word : avoid it. Well ok, that was two words, but if you can access the firewall via out of band communication, do your self a favor and avail yourself of that route. Any reputable colo will have some provision for console access, if they don't it draws their service into question, in my opinion. If you must unavoidably firewall while logged in over the network, here are some tips.

Contents

[edit] Have the box unlock itself

[edit] With change_rules.sh

FreeBSD provides a script to test IPFW rulesets with. It will load a named ruleset and revert back to the old one if you don't confirm the change within 30 seconds.

[edit] With cron

I use a custom script for firewall rulesets, so must take a different approach to facilitate the same thing. This method uses cron to open the firewall rules every minute. When you are done, remove the cron entry.

Put this into a script : 

#!/bin/sh

       /sbin/ipfw -f flush
       /sbin/ipfw add pass all from any to any

And then add a cron job that runs every minute : 

* * * * * /sbin/open_firewall.sh

Now if you lock yourself out it is only temporary. REMEMBER to disable this when you are done.

[edit] Keep your session even if disconnected

Run your session in a screen session, this way if you are locked out and have to log back in your can see what was printed out while you were kicked off, your command history remains intact, you are still in the directory you were working in. This stuff might seem small ... until you have to type it over and over while you iterate through problem solutions.

[edit] Discussion

This assumes IPFW, the analog for IPFILTER should be quite simple to modify.

'Kldload ipfw' will immediately lock you out if you run that over the network as it's solitary defualt rule is to deny.

For PF, this is somewhat less imperative. It is capable of building states on load, and states are allowed through regardless of new rules.

There is a script in /usr/src/share/examples/ipfw/change_rules.sh that does something very similar, along with saving the old ruleset and reverting back to it if something goes wrong.

Gongo 20:34, 6 February 2008 (UTC)

Retrieved from "http://bsdtips.utcorp.net/mediawiki/index.php/Firewalling_while_logged_in_over_the_network"
Personal tools