Paul de Weerd wrote: > ... > If your admins lock themselves out, they shouldn't have been typing on > the machine in the first place. Accidents do happen, so surely you > have OOB access (serial console, anyone ?). Then, if this is still > such a big issue, you can write some scripts that will give you > something along the lines of Junipers 'commit confirmed'...
Remote access to the serial console is fairly new to me (mostly due political obstacles in getting *any* kind of remote access). However, from what I see, it is vastly underrated especially for major system changes. Regarding just PF, I tend to not edit /etc/pf.conf directly, but instead work from a copy and use 'at' to restore the rules from /etc/pf.conf after a certain time. Usually I set it for two or three minutes, unless I need longer for verification and testing. Sometimes the current SSH session gets locked due to state issues, but it's still possible to make a new connection and use that... or else wait a few minutes. e.g. pfctl -nf /home/lars/pf.test.conf \ && echo "/sbin/pfctl -f /etc/pf.conf" \ | at now +3 minutes \ pfctl -f /home/lars/pf.test.conf Not messing with /etc/pf.conf also allows the machine to recover gracefully in cases where the room or building power cycles during your test. (Hey it happens) Regards, -Lars