Paul de Weerd wrote:
> ...
> If your admins lock themselves out, they shouldn't have been typing on
> the machine in the first place. Accidents do happen, so surely you
> have OOB access (serial console, anyone ?). Then, if this is still
> such a big issue, you can write some scripts that will give you
> something along the lines of Junipers 'commit confirmed'...
Remote access to the serial console is fairly new to me (mostly due
political obstacles in getting *any* kind of remote access). However,
from what I see, it is vastly underrated especially for major system
changes.
Regarding just PF, I tend to not edit /etc/pf.conf directly, but instead
work from a copy and use 'at' to restore the rules from /etc/pf.conf
after a certain time. Usually I set it for two or three minutes, unless
I need longer for verification and testing. Sometimes the current SSH
session gets locked due to state issues, but it's still possible to make
a new connection and use that... or else wait a few minutes.
e.g.
pfctl -nf /home/lars/pf.test.conf \
&& echo "/sbin/pfctl -f /etc/pf.conf" \
| at now +3 minutes \
pfctl -f /home/lars/pf.test.conf
Not messing with /etc/pf.conf also allows the machine to recover
gracefully in cases where the room or building power cycles during your
test. (Hey it happens)
Regards,
-Lars
