Reloading ipfilter rules
I dare to say that almost any sysadmin have locked himself out when playing with firewall rules… .
This is a simple tip on how to prevent that from happening when working with IPF.
This is how i do it.
First make your changes to your firewall configuration. Lets pretend we have them stored in /etc/ipf.conf.
The goal is to load the new updated configuration in a inactive list and then make that list active.
When the new rules are active we can sleep for a certain amount of time and then automatically switch back to the old rules. This is because if we make an error in the configuration so we get kicked out or any other unpleasant surprises we automatically restore the old state without having to jump into the car and drive to our datacenter.
This is the command we use to load the rules to the inactive list and then make that list active.
ipf -IFa -f /etc/ipf.conf ; ipf -s ; sleep 30 ; ipf -s
What does all these parameters mean?
- -I Set the list to make changes to the inactive list.
- -Fa This option specifies which filter list to flush. (“a” remove all filter rules).
- -f This option specifies which files ipf should use to get input from for modifying the packet filter rule lists.
- -s Swap the active filter list in use to be the “other” one.
This is a real lifesaver. If you are not using IPF find a way to replicate this on your own firewall/os.