On Sat, Jun 14, 2014 at 01:17:14PM +0200, St?phane Guedon wrote: > Second, I am wondering if someone knows or has written some tool to prevent > yourself from being locked out of your online ssh server when writing pf > rules. > > Something like : copy the new pf rules in /tmp, load them, and ask the user > if > it's ok. If not, reload the previous rules two minutes later.
>From the pfctl manpage: -n Do not actually load rules, just parse them. So, you have your /etc/pf.conf and /etc/pf.conf.tmp files. You do pfctl -nf /etc/pf.conf.tmp, check the return code, and then either mv the file to pf.conf and load it upon success, or report an error and exit, leaving the good rules in place. Nicolai
