A simple pf.conf trick

Sometimes when installing new rules in pf.conf from a remote location your connection to the firewall gets dropped. To avoid this you can fire up screen (or tmux if you like) and then execute:

# sleep 5; pfctl -Fall -f /etc/pf.conf

That way you have enough time to detach from screen, logout and then login again to check the proper application of the new rules. Of course there is always the possibility of not being able to reconnect due to logic errors in pf.conf, but hey he who made no mistakes never built anything.

2 thoughts on “A simple pf.conf trick

  1. You could easily implement something like ferm’s[1] interactive mode:

    1. Dump current ruleset
    2. Apply new ruleset
    3. Prompt user for confirmation
    4. If a specified time interval elapses, revert to the old ruleset.

    By the way, ferm is a very convenient frontend for iptables, it’s big advantages being a powerful language, custom macro definitions and dual-stack (v4-v6) rule generation.

    [1]: http://ferm.foo-projects.org/

    1. Ferm seems cool, but we work with pf ever since ipfilter was removed from OpenBSD 3.0. Actually one of the reasons of using sleep+screen is #4: Being able to login after the rules have been applied and run a command that will prevent reloading the previous ruleset after a certain amount of time. But you can’t always teach an old dog new tricks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s