$ vim pf.conf.new ... write new packet filter configuration file $ pfctl -nf pf.conf.new ... silent output if no errors $ su - root Password: # cd /etc # mv pf.conf pf.conf.old # cp /home/Terry/pf.conf.new /etc/pf.conf && rm /home/Terry/pf.conf.new # chmod 644 pf.conf && chown root:wheel pf.conf # echo 'pfctl -F all -d' | at hhmm ... unlock the door if we screw up # pfctl -e
enabling or disabling the packet filter (-e, -d) kills the SSH connection, but in the event of any embarrassing "oh crap, I've locked myself out" accidents, the at job will flush the firewalls settings and disable it. Believe me, if you've got a system running with no head or physical inputs (e.g. no monitor, no keyboard), ya really want to use such a thing... I still remember coming home from a *very* bad day at work, working on my rule sets, and locking myself out 5 times, and having to hook up a monitor and keyboard to the server each time >_>.
What wonders you can learn from one bad day, huh?
At least tonight, I've not locked myself out once... despite the days troubles, hehe. One of the reasons I like OpenBSDs packet filter, it's simple, it's powerful, just read the fine manual, use your gray matter, and it works! The rule sets are fairly easy to read, and OpenBSD documentation is second to none. Heck the manual page even gives the pf.conf syntax in Backus-Naur Form. The only complex part of pf, is the networking stuff - not the configuration. And of course, I love anything that is configured through a sane text file, rather then having to fire up some cornball program lol. Really, I wish I had the resources to replace my router with an OpenBSD machine, that way I wouldn't have to learn my way around a new web-interface whenever one pops its final cork.
Ahh... At least one good thing happened this weekend!!!