To fix the problem in an automatic way, this is what I did:
- my web server sends a
certbot renewevery Sunday at 00:01; - one minute before, IPFire through the user
fcronuserwill run a shell script changing the RPF status; - 15 minutes later, it reverts to the default status.
To accomplish this, I followed the fantastic @bonnietwin tutorial to create fcronuser with all the right configuration to have fcrontab starting the script with superuser privileges. I works flawlessly.
00 0 * * 7 "sudo /home/cfusco/bin/rpf.sh 2"
15 0 * * 7 "sudo /home/cfusco/bin/rpf.sh 1"
of course take care of changing the path of the script.
This is the heart of the script:
#!/bin/bash
###########################################################
# set strictness of Reverse Path Filtering; see RFC 3704, #
# section 2.2: 1, RPF strict; 2, RPF relaxed. #
###########################################################
/sbin/sysctl net.ipv4.conf.default.rp_filter=$1
/sbin/sysctl net.ipv4.conf.all.rp_filter=$1