Rolling Back OpenBSD PF Changes
If you have ever done something dumb in a firewall config and locked yourself out of a machine, you will appreciate the ability to automatically roll a configuration back to a previous version after a timeout period. This is something that commercial routers and firewall devices from Cisco, Juniper, and others have implemented, though their solutions cover more than just the firewall itself.
The obvious fault in this is that if I lock myself out or cause some sort of calamity, there is no built-in ability to revert to a previous config automatically with OpenBSD's pfctl(8). You can accomplish something like this with a shell one-liner:
This will load the /etc/pf.conf ruleset, wait 60 seconds, and then disable PF so you can get back in and fix whatever you broke. If you wanted instead to load a different ruleset, you could do something like this:
However, there are some disadvantages to one liners like this. They are not very extensible. If you want to take other actions on timeout, the one-liner can get messy quickly.
