Overview

Disclaimer and warning: I suggest you read this entire blog post first before running anything and do some testing locally if you can, or at least read the contents of each script, before running them. I accept absolutely no responsibility for you locking yourself out of your server using these scripts. They worked for me on FreeBSD 6.2 and FreeBSD 6.3. At the very least you should do these on a remote machine that is not currently in production.

I had a whole bunch of firewall rules running on my gateway for various servers. It became cumbersome administrating them all centrally, so I decided that it would be much better to have all my servers run their own firewall rules.

My servers are in a different city, so I had to do this all remotely. Unfortunately playing around with ipfw remotely is pretty dicey because you generally have the ability to completely lock yourself out of your server.

The Code

So, without further ado, here is my set of scripts for safely doing ipfw stuff remotely:

https://github.com/iaindooley/ipfw-safe

That tarball contains the following files:

  • add_rules_safely: the script you call to add rules safely
  • add_rules_then_flush: used by add_rules_safely
  • ipfw_flush: called by add_rules_then_flush if it’s not killed
  • kldload_ipfw_safely: the script you call to initialise ipfw on a server
  • kldload_ipfw_then_allow: called by kldload_ipfw_safely
  • rules_to_add: a list of firewalls you want to add

Usage

When you’re running this on a server which doesn’t have ipfw compiled in the kernel, you can either compile it into the kernel, or you can load it into the kernel dynamically by doing (as root):

./kldload_ipfw_safely

Once you’re happy with your rules, you can load ipfw automatically in /boot/loader.conf (or statically compile it into the kernel), but until then it’s best to leave it out so that if you really mess up you can always just power cycle the machine and ipfw won’t be there anymore.

Once you’ve got ipfw running, you should be able to do (as root):

ipfw list

which will display:

00010 allow ip from any to any

65535 deny ip from any to any

Now, having done that, you can test out the script to add rules safely. By default when you first download the tarball above, and kldload ipfw safely using the command above, you’ll have a rule 00010 which allows any to any. The rules_to_add file as you downloaded it will delete this rule, locking you out of your server. The “sleep” value in add_rules_then_flush as you downloaded it is 10, so if you were to do:

./add_rules_safely

with the files downloaded in that tarball “out of the box” so to speak, you would be locked out of your server for 10 seconds, then the rules will be flushed and you will be able to get back in.

Now, the general procedure for adding more rules will be to first of all edit the sleep interval in add_rules_then_flush to something that will allow you to kill that script if your rules did not block you out, then put some more meaningful rules in your rules_to_add file.

What this means is that you’ll be able to add your rules safely. If all goes well, and you still have access to your box, then you’ll be able to kill the script before it flushes your rules.

If you experience ipFAILw, and you get locked out of your server, then after the sleep interval is over, your rules will get flushed and you can log back in.

Comments Archive

This post originally appeared on an older version of the Working Software website which implemented it’s own comment mechanism. This new version of our website/blog uses Disqus for comments (see below) however I wanted to preserve the comments made on the previous post here:

ORLY?

jsoftw (2008-08-27)