Re: [suse-security] Firewall script with watcher process

* Steffen Dettmer wrote on Sat, Apr 28, 2001 at 21:01 +0200:

* Steffen Dettmer wrote on Sat, Apr 28, 2001 at 16:44 +0200:

...

The idea:

ssh $HOST $FIREWALL_START ssh $HOST $FIREWALL_WATCHERKILL

I implemented such a thing. It seems to be reliable and usable. First tests looked good. To share the results here some note and details (some parts [...] cut):

Some recommendations: - first, if the same script is used to start firewalling at bootup via rcinit (rc2.d/S04firewall or whatever), it's not a good idea to launch the watcher. - second, I found an easy improvement: if the firewall "start" is finished, another signal is sent to the watcher. If the watcher detects that the script is finished (or died) before receiving this signal "DONE", it opens SSH immediatly (SIGUSR1 is used to signal "DONE", SIGUSR2 is used to signal "OK". It's surprising what modern scripting is able to do. Anyway, it would be more nice to use perl: faster and more robust and so on...) updated code excerpts follow: 1. check if called by rcinit (I know it's trivial, but requires some testing, so here my version:) BASENAME=${0##*/} #longest match ARGV[0] RCLINK=${BASENAME%%[SK][0-9][0-9]*} #longest Match "S04*" from end #RCLINK is empty if this matched if [ -z "$RCLINK" ] ; then RCLINK="yes" #called as i.e. S04firewall via init else RCLINK="no" #called by other name fi 2. modified launch_watcher, following condition check inserted: function launch_watcher() { [...] #check if called via rc.d/[SK]xxfirewall (by init) # in this case no watcher is needed if [ "$RCLINK" = "yes" ] ; then echo "[called by init --> no watcher session needed]" return fi [...old code...] } 3. new function watcher_done (which is like kill_watcher, but sends SIGUSR1 and will not kill the watcher process with TERM function watcher_done() { [...get PIDs via ps|awk or whatever...] #send USR1 ("DONE") for PID in $PIDS ; do kill -USR1 $PID done; } 4. kill_watcher renamed to watcher_ok; modified: function watcher_ok() { #make sure we are the onliest instance except watchers: [...] #serach for other instances (watchers) [...ps|awk or whatever...] #send USR2 ("OK") for PID in $PIDS ; do kill -USR2 $PID done; [...ps|awk or kill -0 PID or whatever...] #send KILL if still alive [...] } 5. The improved watcher: function watcher() { DONE="no" function signal_handler_USR1() { echo "Watcher: Signal \"DONE\" caught." DONE="yes" #remeber this state } function signal_handler_USR2() { echo "Watcher: Signal \"OK\" caught --> Exiting." #maybe we got "OK" before "DONE" if [ "$DONE" != "yes" ] ; then echo "Warning, we are not DONE!" fi exit 0; } [...] trap "signal_handler_USR1" SIGUSR1 trap "signal_handler_USR2" SIGUSR2 [...] #give firewall some time to set up rules for (( n=0 ; n/dev/null ; then true; #echo "Watcher: $n --> $WATCH_ME alive..." else echo "Watcher: set up (by PID:$WATCH_ME) finished after $n seconds." break fi done #check if firewall is still running and kill in this case [...] if [ "$DONE" != "yes" ] ; then echo "Watcher: Warning, firewall finished but we are not DONE!" #don't wait, just open SSH else echo "Watcher: DONE, waiting for OK..." #give admin some time to call "firewall ok" which kill # this process. After that time we open SSH for (( n=0 ; n waiting..." sleep 1; #more safe than sleep $TIMEOUT done echo "Watcher: no \"OK\" after $TIMEOUT seconds!" echo "Watcher: firewall seems to be closed to much!" echo "Watcher: Forcing SSH to be open." fi force_ssh_open_direct; echo "Watcher: exiting." exit 1 } Today I made some more tests, this solution seems to be reliable through SSH. I think it's a good way to do it, but of course comments are welcome as always! oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.