Work on a Firewall Remotely

From LQWiki
Jump to: navigation, search

How to Work on a Firewall Remotely

Let's face it, you install a server, and inevitably your client/customer will want some changes that might require editing your firewall script. If you don't have a firewall script, you should consider using ferm, as it gives you an easy to understand configuration that generates iptables rules. If you use something like ipf or pf, and not iptables, these few tips will probably lower your stress levels and even let you sleep better at night...

  • Tip #1: Create yourself a "dead-man's handle"

A so-call "dead-man's handle" is a backdoor to let yourself back in if your firewall rules suddenly cut off your access to the server. To do this, log onto the server, and type:

# screen

This will open a virtual terminal, if you like, that you can detach from later. Copy your current WORKING firewall script elsewhere:

# cp /etc/firewall.sh /etc/firewall.deadman.sh

Now type into the virtual terminal:

# sleep 3600 && /etc/firewall.deadman.sh

This waits for exactly one hour, and reloads the previous firewall script that actually works OK. To detach this virtual terminal, press CTRL + A and then CTRL + D. It will say something like "screen detached".

Now you can edit your firewall and apply the changes as you go, but take care not to keep working for longer than an hour. If at any point you are locked out, just wait for the rest of the hour, and your dead-man's handle will reload the old firewall and let you back in.

Remember, if you accidentally break the firewall during this time, the server might still have full downtime until the firewall is reloaded. This guide is only meant to be an absolute last resort. You should never attempt to edit a firewall remotely if you don't have such a mechanism in place...

After you have made your changes, applied the new firewall and everything works well, you will want to cancel the timer from setting up your old firewall again. To do this, log in, and type

# screen -r

This will reattach your console to the timer. The reason I used the "&&" is so that if the 'sleep' command exits before it is 'meant' to, it will stop the second command from being executed. So you can safely type CTRL + C and the timer will stop, and the firewall script will not be executed.

Once you've cancelled the timer, you can close the screen session by typing:

exit

And it's all over! Sleep well.

  • Tip #2: Remember, if you change the default iptables policies to DROP, doing iptables -F will default the system to policy DROP on all tables!