IPFW lockout.

Kevin Kinsey kdk at daleco.biz
Mon Sep 5 06:13:56 PDT 2005


James Bowman Sineath, III wrote:

>> Hi all,
>>
>> I have a small problem on one of my dev boxes. I have a bod bootup
>> ipfw rulset and I find myself locked out of the machine.
>>
>> There will be a technician at the NOC on Tuesday that will be able
>> to assist me.
>>
>> My question is: Will he/she be able to simply reboot, logon as root
>> as normal?
>>
>> - and then -
>>
>> disable IPFW in rc.conf ... or will the loopback rule not being
>> present cause more mahem than I think it will?
>>
>> -Grant
>
>
> He should be able to login without any problems.
>
> On another note, in the future whenever you make changes to your
> system that could potentially lock you out, use crontab to disable
> them after a short amount of time. For example, when I was
> reconfiguring sshd, I crontab'ed 'killall sshd && sshd -f 
> /root/sshd_config_old'
> and moved the default config file to my /root directory. Also when 
> playing
> with my ipfw rules, I crontab'ed 'ipfw disable firewall' for every 15 
> minutes
> until I got it working the way I wanted too.
>
> Be VERY careful with this though. Don't use it and then forget to remove
> the lines from your /etc/crontab. Remove them as soon as you get it
> configured the way you want too. This is obviously a serious security
> risk, so don't use it very often. If you are worried about disabling your
> firewall, then create a small ipfw script to deny all connections except
> from your IP address and crontab that instead of 'ipfw disable firewall'.
> Also keep in mind to enable your firewall again you will need to type 
> 'ipfw enable firewall'.


See also /usr/share/examples/ipfw/change_rules.sh....

Kevin Kinsey.


More information about the freebsd-questions mailing list