# how to modify ipfw rule in php-fpm



## benpptung (Jul 4, 2011)

I've tried to modify the ipfw rules in php-cli in command line, since I am root, it's ok.

But when I modify the rule via a web page (backend is php-fpm), I got the following error message.


```
[04-Jul-2011 03:13:51] WARNING: [pool php-default] child 47441 said into stderr: "ipfw: socket: "
[04-Jul-2011 03:13:51] WARNING: [pool php-default] child 47441 said into stderr: "Operation not permitted"
```

It's there any way to allow php-fpm to modify the ipfw rules? 

I am considering to use sudo to authorize php-default account to have the right to modify ipfw, is it a good idea? Appreciated if there's any good suggestion.


----------



## SirDice (Jul 4, 2011)

The www user Apache runs on doesn't have permission to change the firewall rules.


----------



## benpptung (Jul 4, 2011)

SirDice said:
			
		

> The www user apache runs on doesn't have permission to change the firewall rules.



I am using php-fpm, which is using another system user connected from Apache via fastcgi. As you can see in my error log, the user is named php-default, which is created by me. I've added this user into wheel group, but doesn't work.


----------



## SirDice (Jul 4, 2011)

Then it's that user account that doesn't have the privileges. Keep in mind that only root is capable of changing the firewall rules.


----------



## benpptung (Jul 4, 2011)

Yes, and thank you. So, what I am thinking is to install security/sudo and enable the account I created having the privilege to modify ipfw rules. 

Does sudo work for this? Or is there any other work around to modify ipfw rules? 

Since I'm going to travel to other country, I am seeking a way to gain control of my servers.


----------



## SirDice (Jul 4, 2011)

benpptung said:
			
		

> since I'm going to travel to other country, I am seeking a way to gain control of my servers.


Use ssh(1).


----------



## benpptung (Jul 4, 2011)

SirDice said:
			
		

> Use ssh(1).



I want to modify ipfw rules in a web-based application because I need to get ssh access to my system.

My current ipfw rules deny any ssh access except specific IPs, so I need to have a web-based application allowing me to tell the system which IP is allowed to access ssh when I am traveling. Of course, I'll use SSL and login to protect this web-based app.


----------



## SirDice (Jul 4, 2011)

You have a "chicken and egg" problem. You can't add firewall rules because that requires root access. To get root access you could use sudo. However, sudo needs to be configured as root, which you don't have.

Next time just allow any IP in, use public/private key authentication and use something like security/sshguard-pf to keep the brute-force attacks in check.

Proper ssh access makes things so much easier...


----------



## DutchDaemon (Jul 4, 2011)

If I *had* to make a backdoor into pf for myself, I would rather use OpenVPN straight up, or a special email address that triggers a pf table insert using an internal procmail recipe or something like that. Never a web server.


----------



## Kesano (Jul 6, 2011)

I have solved this problem for next way:

Install security/sudo.

/usr/local/etc/sudoers:

```
root ALL=(ALL) : ALL
www ALL=(ALL) NOPASSWD: /sbin/ipfw
```

Then PHP:

```
...
$out.= exec('/usr/local/bin/sudo /sbin/ipfw add 1000 allow all from '.$ip.' to any');
...
```


----------



## DutchDaemon (Jul 6, 2011)

I'm sure you have a lot of bandwidth.


----------



## benpptung (Jul 7, 2011)

Kesano said:
			
		

> I have solved this problem for next way:



Thank you all suggestions, I've resolved this in similiar way, but little bit of differences.

in sudoers,


```
php-super ALL=(root) NOPASSWD: /usr/local/bin/php -f /path/to/backdoor.php
```

Then in Apache, under the specific VirtualHost which allows to access the backdoor web, to point the PHP handler to the specific PHP user. Of course, I set up a special PHP user named php-super in php-fpm pool.


```
Alias /path/to/php/fastcgi/handler /path/to/fastcgi/php-super
```

Then in PHP:

```
passthru('sudo /usr/local/bin/php -f /path/to/backdoor.php');
```

Now, the backdoor.php has root privilege, and can do everything I want to do. Then, create a backdoor.php and store it somewhere where there is no web access. In backdoor.php

```
exec('/sbin/ipfw -q add 1000 allow tcp from ' . $ip . ' to me dst-port 22 in via em1 setup limit src-addr 3');
```

The idea is there is a php-super user only limited to run backdoor.php, and backdoor.php only do the specific required ipfw rule change.


----------

