Firewall script with watcher process (was: [suse-security] Locking yourself out)

* Steffen Dettmer wrote on Sat, Apr 28, 2001 at 16:44 +0200:

The idea:

ssh $HOST $FIREWALL_START ssh $HOST $FIREWALL_WATCHERKILL

I implemented such a thing. It seems to be reliable and usable. First tests looked good. To share the results here some note and details (some parts [...] cut): 1. launching the watcher, in bash shell code: function launch_watcher() { #make sure we are the onliest instance: [...] #launch watcher ($0 watcher) { export caller=$0; export WATCH_ME=$$; export TIMEOUT; nohup setsid $0 watcher 2>&1 | $LOGGER & last=$! if [ "$PIPESTATUS" != "0" ] ; then echo "error launching watcher process!"; echo "error launching watcher process!" | $LOGGER; exit 1; fi } & sleep 2; #now we need to check if the watcher is still running (it # exits immediatly on error ps ax | egrep "\? .* $0" | egrep -v "(grep|$$)" > /dev/null if [ "$?" != "0" ] ; then echo "Watcher already DIED!" echo "check syslog!" test -r /var/log/messages && tail /var/log/messages exit 1; else echo "Watcher session is running." fi } 2. The watcher itself: function watcher() { function signal_handler() { echo "Watcher: Signal \"OK\" caught --> Exiting." exit 0; } #called correctly? [...] trap "signal_handler" SIGUSR1 #give firewall some time to set up rules [...] #check if firewall is still running and kill in this case if kill -0 $WATCH_ME 2>/dev/null ; then echo "Watcher: $WATCH_ME alive...TIMED OUT. KILLING IT NOW." kill -TERM $WATCH_ME 2>/dev/null [...] sleep 1 force_ssh_open_direct; echo "Watcher: exiting." exit 1 fi echo "Watcher: waiting for OK..." #give admin some time to call "firewall ok" which kill # this process. After that time we open SSH for (( n=0 ; n waiting..." sleep 1; #more safe than sleep $TIMEOUT done [...] echo "Watcher: Forcing SSH to be open." force_ssh_open_direct; echo "Watcher: exiting." exit 1 } 3. killing the watcher (param "ok"): function kill_watcher() { #make sure we are the onliest instance except watchers: [...] #serach for other instances PIDS=`ps ax | egrep "$BASENAME.*watcher" | egrep -v "(grep|$$)"|awk '{ print $1 }'` [...] #send USR1 ("OK") for PID in $PIDS ; do kill -USR1 $PID done; [...] #send KILL if alive [...] } 4. putting it together: [...case $1 in...] start) conf_options; #load config file launch_watcher; #watcher into background parse_hosts; #some checks... init_chains; #set up ruls [...] watcher) #not be specified by commandline! watcher 2>&1 | $LOGGER; ;; ok) kill_watcher; ;; [...] 5. Usage: # ~ ssh remote_firewall <login> # ~ /etc/rc.d/firewall start Firewall (watch, rp, icmp) $Revision: 1.53 $ Watcher session is running. [...] Firewall set up successfully. Total number of rules: 100 (now run "/etc/rc.d/firewall.std ok") # ~ /etc/rc.d/firewall.std ok Firewall (watch, rp, icmp) $Revision: 1.53 $ Ok, sending "OK" to watcher. Done. # ~ exit :) On Error the watcher inserts SSH rule an reports that via syslog (logger) into /var/log/messages or whatever:: firewall[32684]: Watcher: activated firewall[32620]: Firewall set up successfully. Total number of rules: 100 firewall[32684]: Watcher: set up (by PID:32620) finished after 17 seconds. firewall[32684]: Watcher: waiting for OK... firewall[32684]: Watcher: Me (32684) is still alive after 20 seconds! firewall[32684]: Watcher: firewall seems to be closed to much! firewall[32684]: Watcher: Forcing SSH to be open. firewall[32684]: Watcher: inserting ssh accept rules in input chain... firewall[32684]: Watcher: opening output chains COMPLETLY (!)... firewall[32684]: Watcher: exiting. otherwise just a nice: firewall[1659]: Watcher: Signal "OK" caught --> Exiting. Yep, I thing I like it :) Comments? Have a nice weekend! oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.