NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pf and rpi

On 10/1/14 9:57 AM, Zoran Kolic wrote:
> I intent to load pf firewall on rpi and not stay locked out of the
> node. The only comminication is via ssh.

Hi, Zoran.

You're right about putting pf=YES in /etc/rc.conf; I would not do that
until I was confident my configuration was right.

Does "rpi" mean "Raspberry Pi"?  If so, then is it easy to power cycle
the device?  If so, you can just try your rules, and if you get locked
out, power cycle it.

But normally I wouldn't even plan to power cycle my machine to recover.
Before trying new firewall rules, I just run something to disable the
firewall after a period of time in case I lock myself out.  So, I'd do
something like this:

# nohup sh -c 'sleep 15; pfctl -d' < /dev/null > /dev/null 2>&1 &

That runs the sh process in the background, detached from standard
input, standard output, and standard error, and ignoring the SIGHUP
signal.  After 15 seconds it runs "pfctl -d" to disable the firewall.

Or you could just start a tmux session, and do the following in a

# sleep 15; pfctl -d

BTW, as of NetBSD 6, there's a new packet filter for NetBSD called
NPF.  See npf.conf(5), npfctl(8), and /usr/share/examples/npf.
There's also a document by the NPF author titled "NPF documentation"
<>.  I think it documents the latest
NPF, so if you're not running the latest NetBSD, beware that some things
might be slightly different for your NPF.



Home | Main Index | Thread Index | Old Index