Monday, August 07, 2006

Testing Firewall Rules

And yet you are using PF and want to test your firewall rules remotely but afraid of locking yourself out of box, you can actually do this. Create a pf config file name /etc/pf-open.conf, and with the open all rulesets,

pass all

Then you have the PF configuration file calls /etc/pf-server.conf that you want to test which having heavy filter rules, now to test it. Run

shell>pfctl -f /etc/pf-server.conf; sleep 90; pfctl -f /etc/pf-open.conf

The filter rules will be applied and it will change to the pass all rules over 90 seconds. With this you can relogin to the box remotely after 90 seconds in case you accidentally lock out of the box or you internet got screwed.

I found this tip from here, apparently this is very useful.

The safer way is putting the commands above into the shell script and run that script instead in case you get terminated and the terminal closed before 90 seconds causing the pfctl -f /etc/pf-open.conf not getting executed.

Enjoy :]

No comments: