One of the NTP Pool server operators emailed recently and told that his server was unavailable for a few hours because he had changed some firewall rules remotely and managed to lock everyone out. Oops!
There's an easy way to do safe remote firewall changes.
He should have used the
at daemon to automatically recover! If you don't have a console server then you absolutely must get in the habit of using it before doing anything that can lock you out of your server.
The basic concept is to setup something that in say 5 minutes will undo whatever you're about to do. So if you are messing with the firewall rules, the easy way is to tell it to disable the firewall in five minutes. For example on Fedora and RHEL you can use
service iptables stop to stop the firewall, so as root enter:
at "now + 5 minutes" service iptables stop
You can type a whole list of commands and when you're done, press ctrl-d to stop.
It will look something like:
# at "now + 5 minutes" service iptables stop job 6 at Tue Sep 18 17:53:03 2007 #
Another variation to "program" the at daemon would be
echo service iptables stop | at "now + 5 minutes".
Anyway, now you go mess with the firewall for 5 minutes and when you're done you delete the
at job. You use the
atq command to see a list of queued jobs and then
atrm to remove it
# atq 6 Tue Sep 18 17:53:00 2007 # atrm 6
Editing firewall rules is a great use case for this, but other neat ways to use
at could be:
You mess with the network configuration. Make the system just reboot in case you get it wrong (be sure that the working configuration files are put back; or that you don't edit the configuration files until you've gotten it working with
You take something down for maintenance; use at to schedule it being started again in an hour. So if you forget to restart it, it'll come back in an hour at the latest.
For example, start MySQL replication at 8pm:
$ at 20:00 mysql -uroot -e 'start slave;' ^D job 8 at Tue Sep 18 20:00:00 2007
Send yourself a reminder:
$ at 18:32 mail -s "put money in parking meter!" firstname.lastname@example.org < /dev/null ^D job 8 at Tue Sep 18 18:32:00 2007
You have to make sure
atd is running of course, but on most Unix systems it should be (it's installed on OS X, but isn't running by default).